Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d9813beda2ffd4d…

MALICIOUS

PDF

43.6 KB Authoring application: LibreOffice Draw
MD5: 2756a3eeb15275b0519e34b3ec7d7a96 SHA-1: d05c0093b0eb6d9d767e8a5d697be11256ea5547 SHA-256: 9d9813beda2ffd4dcec9ca201909b92398a1ccaa6d1decca210ba23176e20209
162 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1566 Phishing

The PDF contains a large number of embedded links, identified as a link farm, with the primary purpose of directing users to malicious content. The heuristic 'SE_FAKE_CAPTCHA' indicates that the document presents a fake CAPTCHA to trick users into interacting with the content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and malicious download intent.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lw-jobs.com/uploads/1/3/0/4/130483487/6f8c8e7decbd65.pdf
    • http://thehandmadehydrangea.com/uploads/1/3/0/6/130640063/24dc8a649eb.pdf
    • http://berkshireheros.org/uploads/1/3/0/5/130544001/4c078bbf.pdf
    • http://mikaelmonk.com/uploads/1/3/0/6/130604511/8ab1e14b65b3114.pdf
    • http://thecreativechecklist.com/uploads/1/3/0/5/130551115/vuvanozipobi-nolareli-fusaxu.pdf
    • http://coastaltest.club/uploads/1/3/0/4/130483256/pomagimesere.pdf
    • http://mycfccrew.com/uploads/1/3/0/6/130620849/3d8b518788ae.pdf
    • http://metairielaw.com/uploads/1/3/0/8/130813132/a3520594.pdf
    • http://www.design4hri.net/uploads/1/3/0/2/130287503/pabitezuzaluzerodixu.pdf
    • http://belmontrealestate.net/uploads/1/3/0/4/130476066/9226991.pdf
    • http://rebeccawallach.net/uploads/1/3/0/4/130435925/2665423.pdf
    • http://jaimoda.com/uploads/1/3/0/6/130639591/podegazetabobon.pdf
    • http://cheriflainformations.com/uploads/1/3/0/2/130289369/votivupe.pdf
    • http://virtualizationvelocity.com/uploads/1/3/0/2/130291555/5687244.pdf
    • http://mosholudaycamp.com/uploads/1/3/0/2/130270863/2a0aafa9.pdf
    • http://mytridentestates.com/uploads/1/3/0/5/130540021/453817.pdf
    • http://efectofemme.com/uploads/1/3/0/3/130379123/tikuwexoneb.pdf
    • http://jessica-carlson.com/uploads/1/3/0/8/130813934/169813.pdf
    • http://1wiseparent.com/uploads/1/3/0/7/130739268/9560785.pdf
    • http://www.plettbridalboutique.co.za/uploads/1/3/0/6/130621654/zotapibol-kovirifo-wumuruleb.pdf
    • http://collinturner.com/uploads/1/3/0/8/130874085/bajedi_fivixuvorov_puzafu.pdf
    • http://www.leeschweninger.com/uploads/1/3/0/3/130313070/7744422.pdf
    • http://dianehunterart.com/uploads/1/3/0/3/130323277/d57a21a3.pdf
    • http://newnextsf.com/uploads/1/3/0/3/130313155/sapirukotifowip-wajivubiduko-kaduvaz-lapesigo.pdf
    • http://wcd-jtdgd98u.mgh-r.ch/uploads/1/3/0/6/130603979/130603979.html#adhar+card+correction+form+fill

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004711.bin
14fb49ed8f8513e73963fd5b16d4b14d47fa03475631e3656b5f834ff0f42b9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4711 8028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.