Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae43b6446c21d698…

MALICIOUS

PDF

54.7 KB Authoring application: OpenOffice Draw
MD5: 3f105a1ee5efc9db157cfaea1f2b214d SHA-1: e9d801678072492eac84978120acc13559a1700b SHA-256: ae43b6446c21d698978be4af5837915ac4030590fb5377661b1ab0b5e77b6d14
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment

The PDF file contains a large number of embedded links, identified as a link farm, which is a common tactic for phishing and malware distribution. The heuristic 'PDF_SEO_LINK_FARM' and the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly indicate a malicious intent. The embedded URLs, although individually marked as benign, collectively form the attack vector. The document body contains garbled text and some educational material references, which are likely decoys.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jogosuzukoza.weebly.com/uploads/1/3/0/4/130435930/xajogazogir.pdf
    • https://zajazozapuju.weebly.com/uploads/1/3/0/5/130547728/5f3256bda5b.pdf
    • https://bidisogoro.weebly.com/uploads/1/3/0/2/130291416/bodonovakejo.pdf
    • https://dutawukokev.weebly.com/uploads/1/3/0/2/130288577/9227647.pdf
    • https://kanubazevanama.weebly.com/uploads/1/3/0/4/130483266/murumomudo.pdf
    • https://lumafodiwasur.weebly.com/uploads/1/3/0/4/130435737/zuvofefijavodel_wigimub_buxafi_mutoripad.pdf
    • https://sejomakufivis.weebly.com/uploads/1/3/0/2/130271124/4642573.pdf
    • https://vimuzizop.weebly.com/uploads/1/3/0/2/130272438/2119888.pdf
    • https://xadigavifakajof.weebly.com/uploads/1/3/0/5/130551957/dajirixove.pdf
    • https://jadukekazonabis.weebly.com/uploads/1/3/0/5/130539944/kijupabe.pdf
    • https://fotefijige.weebly.com/uploads/1/3/0/4/130435654/130435654.html#class+10+cbse+english+book+first+flight

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000128a.bin
b271c8dac19cf64c4baf5e3c551d85d6223a2bf382c8f899ba89da81ed620396		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128A 8308 bytes
font_01_sfnt_off00006871.bin
5bde1a8ecdaada6fecb26ec7333c031491339a83b08e37b011756f9a51155d53		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6871 16624 bytes
font_02_sfnt_off000080e4.bin
6c957b316f66bc5e02d7fb7cadd8e8fa8c62ac5b21037b739cafad4883e4e448		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80E4 13296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.