Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e3ba585fc40e325…

MALICIOUS

PDF

41.4 KB Authoring application: LibreOffice
MD5: 7d32358b24b9b9b8cdf7e4824bf0fdb9 SHA-1: a3927b78c529769a73c69414d0318fe83d505c5e SHA-256: 9e3ba585fc40e325798c3c235d73cf137532d5dfa6d0246b3a189da3e30a289b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files hosted on various domains. This technique is commonly used for SEO poisoning or to redirect users to malicious content, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://minestarters.net/uploads/1/3/0/2/130287896/3ca31bf7294718c.pdf
    • http://nourishandthriveforlife.com/uploads/1/3/0/4/130488295/tiburelovuzuda_verozof.pdf
    • http://holygifting.com/uploads/1/3/0/5/130543057/2170765.pdf
    • http://sellingtob2bcompanies.com/uploads/1/3/0/5/130589048/97a819.pdf
    • http://www.clovermagazine.com/uploads/1/3/0/5/130588349/tarunuk.pdf
    • http://nicksportsmassagetherapy.com/uploads/1/3/0/7/130775176/1fa46ec0d.pdf
    • http://robertelsner.com/uploads/1/3/0/5/130588922/2165996.pdf
    • http://benyjuana.com/uploads/1/3/0/7/130776409/1951518.pdf
    • http://ideaball.com/uploads/1/3/0/3/130323518/a9f826743e1.pdf
    • http://globalgraphicdesigns.com/uploads/1/3/0/4/130489437/b77315734d.pdf
    • http://newzealandcreativespacesstudioweebley.com/uploads/1/3/0/2/130271179/lotexenidomapotep.pdf
    • http://mustardgreen.net/uploads/1/3/0/6/130603814/f181fb.pdf
    • http://farmlawyer.com/uploads/1/3/0/8/130874386/8709508.pdf
    • http://new-victory.site/uploads/1/3/0/5/130590312/gofuxujadulajefe.pdf
    • http://mrswaterfiremold.net/uploads/1/3/0/7/130739802/wozap-fogabeledarevek-tanokaregak-jekuzako.pdf
    • http://bokobowls.com/uploads/1/3/0/4/130483426/zeniwazovaxorat-batof-petime-vubimi.pdf
    • http://shoppivotalchocolates.com/uploads/1/3/0/7/130775203/9889243.pdf
    • http://flgit.com/uploads/1/3/0/7/130739853/rakad_jovupalekajel.pdf
    • http://jaguartracks.com/uploads/1/3/0/5/130589287/8c9dfd9.pdf
    • http://yinghuangwangshangyule.br3h.com/uploads/1/3/0/9/130969169/130969169.html#short+acting+beta+2+agonist+mechanism+of+action
    • http://minestarters.ne

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000341a.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x341A 2864 bytes
font_01_sfnt_off000040ce.bin
b493b608ece1e16ea0e91fb2de7e98df88d758371b740f180d432762df61af37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40CE 8784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.