Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4ef7892a3fc0a16…

MALICIOUS

PDF

39.6 KB Authoring application: LibreOffice
MD5: 5e35bfff27aa4203c0058d8ab1104d47 SHA-1: 9df8b1143b7e3d172ab753af105023f41cf4e8d5 SHA-256: b4ef7892a3fc0a1620b6316ea32d6d209797ccf3bd58f9b38c166a4978ce4636
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious nature of this file. No scripts were extracted, and the document body was truncated, limiting further analysis of the specific lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yourhomedesigns.us/uploads/1/3/0/4/130489361/ba44100db1.pdf
    • http://componentcatalog.dev/uploads/1/3/0/6/130620892/nilumov.pdf
    • http://storehousefood.org.uk/uploads/1/3/0/5/130552097/8470510.pdf
    • http://shotcomposer.com/uploads/1/3/0/7/130739017/f6e07d47e.pdf
    • http://rchendesign.com/uploads/1/3/0/5/130590469/guvusedosawar.pdf
    • http://storeoutsideyourdoor.com/uploads/1/3/0/5/130539987/00565d6ba173f0.pdf
    • http://alisonyinblog.com/uploads/1/3/0/4/130435966/3733762.pdf
    • http://musicforsoho.com/uploads/1/3/0/8/130814851/rulevoxero_funivopidij_pojugixaserob_fidovuf.pdf
    • http://beezybrand.com/uploads/1/3/0/6/130620893/0d9ca8183adf5.pdf
    • http://photoandvideoclasses.com/uploads/1/3/0/6/130620859/5b90c3fe.pdf
    • http://laceyandleatherexoticattirellc.com/uploads/1/3/0/7/130739043/df6972e995b.pdf
    • http://devanttravels-crystal.net/uploads/1/3/0/2/130287973/mudixebedelu-visezusegor.pdf
    • http://sooperda.com/uploads/1/3/0/3/130313748/nukaza.pdf
    • http://grumpysgreen.com/uploads/1/3/0/5/130544635/b2086479c6177.pdf
    • http://missouridwi.info/uploads/1/3/0/7/130775607/lomufijojikog-zuxek-gaguda-xirogazodika.pdf
    • http://mail.deercreekarchery.com/uploads/1/3/0/6/130621951/8098548.pdf
    • http://naomi-anderson.de/uploads/1/3/0/7/130776399/zowutugodelafijesaf.pdf
    • http://lingoweaver.net/uploads/1/3/0/3/130312965/1515215.pdf
    • http://teamborkowski.com/uploads/1/3/0/5/130540402/16b519723970.pdf
    • http://reliancemartialarts.com/uploads/1/3/0/8/130814711/kodegarujutabuvitewo.pdf
    • http://cappra.org/uploads/1/3/0/2/130272477/6503096.pdf
    • http://wcd-lzubvsmk.mgh-r.ch/uploads/1/3/0/2/130270823/130270823.html#printable+abc+tracing+worksheets

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003a12.bin
7b338eb80b9af6ec647e6433df0f0e221af394a710674dd911087d27e8013f29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A12 8064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.