Malicious PDF — malware analysis report

Static analysis result for SHA-256 a891fe57c4c9a95f…

MALICIOUS

PDF

38.3 KB Authoring application: LibreOffice Draw
MD5: 8372def936c3f37f696832c2625ccbbd SHA-1: f1221e8159bf008c952df520627603d851eb2879 SHA-256: a891fe57c4c9a95f19b60e30a52b6d88103e8ff39183808e71ae57883dc66dc0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO manipulation tactic, aiming to redirect users to potentially malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious intent. No scripts were extracted from this sample, limiting the analysis of direct execution behavior.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jarturner.com/uploads/1/3/0/6/130604413/rawokaxosifisev.pdf
    • http://michelletrappen.com/uploads/1/3/0/4/130436399/2771683.pdf
    • http://stullinvest.com/uploads/1/3/0/7/130775466/ad0de1.pdf
    • http://www.golfclub-prenden.de/uploads/1/3/0/5/130588299/lakamatinozonek.pdf
    • http://linamortensen.de/uploads/1/3/0/5/130539357/taxafonobifari-gibitugozibum.pdf
    • http://flatlandultrarunner.net/uploads/1/3/0/5/130541846/susixu.pdf
    • http://8mce3.bpmtc.com/uploads/1/3/0/8/130813497/tudofaxuxetibenamesa.pdf
    • http://uncommontern.com/uploads/1/3/0/7/130738762/fumasedepija.pdf
    • http://abilenehormonalwellnesscenter.com/uploads/1/3/0/6/130604740/dawebapa.pdf
    • http://musicforsoho.com/uploads/1/3/0/6/130621700/biken-kepevuv.pdf
    • http://lambl.net/uploads/1/3/0/4/130476978/pifoluxa-tesakakasefori.pdf
    • http://k12voip.com/uploads/1/3/0/5/130545021/02c8762f0dcfa.pdf
    • http://brandsview.com/uploads/1/3/0/8/130874666/levebi.pdf
    • http://nu9empire.com/uploads/1/3/0/5/130542728/8878010.pdf
    • http://budapestfoodandtravel.com/uploads/1/3/0/7/130739746/pedigizusexoxup_vijagu_jexopafozitera.pdf
    • http://fearlessculture.org/uploads/1/3/0/3/130323422/130323422.html#imagine+piano+sheet+music+free+download
    • http://uncommontern.com/upload

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000039c0.bin
293abd0fc98bc9341f253acdc9f9b553384f90f553d80b3a1053bcd08ac2c9a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39C0 9076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.