Malicious PDF — malware analysis report

Static analysis result for SHA-256 b72dacedc641303a…

MALICIOUS

PDF

36.3 KB Authoring application: OpenOffice.org
MD5: 56390dcdda1b040b3767247d68facc49 SHA-1: 52543577644ffacd5d26a86c5572aaf74a13cc58 SHA-256: b72dacedc641303afabd746d007d096971d1ad7e1512789897fedc7915f0e49e
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file exhibits a critical heuristic firing for a 'PDF_SEO_LINK_FARM', indicating a large number of embedded external links. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely phishing. The embedded URLs are the primary indicators of compromise, suggesting a redirection mechanism to malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://daffo-diehlphotography.com/uploads/1/3/0/4/130483140/41bc18a45115361.pdf
    • http://yangphotography.net/uploads/1/3/0/7/130739341/e14785c201b5508.pdf
    • http://www.fdic.info/uploads/1/3/0/6/130639380/tugononigamav.pdf
    • http://hostmaster.creativitycoaching.co.uk/uploads/1/3/0/8/130873869/6dfcd40972c46e.pdf
    • http://nanonow.nl/uploads/1/3/0/8/130814216/5012792.pdf
    • http://www.accessinginclusion.org/uploads/1/3/0/5/130544953/6534831.pdf
    • http://noticias.aeromar.mx/uploads/1/3/0/7/130776182/7947331.pdf
    • http://freeyourmindnow.org/uploads/1/3/0/8/130873786/vovojexagobopov_fitidepesolave.pdf
    • http://awpcmarianna.com/uploads/1/3/0/5/130550951/4918213.pdf
    • http://merakiskincare.net/uploads/1/3/0/5/130539934/1391350.pdf
    • http://redttube.net/uploads/1/3/0/5/130538839/sadozof.pdf
    • http://sryoga.co.uk/uploads/1/3/0/5/130589085/sofojomamuripat.pdf
    • http://www.lotus-eater-bookonline.ca/uploads/1/3/0/5/130544352/sokiradi-sikixal.pdf
    • http://millerblade.com/uploads/1/3/0/4/130488244/subifotujamizunexa.pdf
    • http://x0075085xstreamtravel.xsideas.com/uploads/1/3/0/5/130551756/130551756.html#calculate+rectangular+prism+surface+area

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003418.bin
3ee528302874277bfd8ed0790b1da37812463101b913154131e4110ad7618c46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3418 8000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.