Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8d1906ecbbf8902…

MALICIOUS

PDF

48.4 KB Authoring application: OpenOffice.org
MD5: 3ace171a1473da02894a27a5c35a6ab3 SHA-1: 39cd029aa4dcd82795c833ce25ed1cdd00ded10f SHA-256: b8d1906ecbbf8902baf6ffa47828c35b5a17b4672c96960a73a30cf2b2072b67
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adamgoodbet.com/uploads/1/3/0/2/130270894/labebilikasavijavilo.pdf
    • http://nicolewilliamswrites.com/uploads/1/3/0/2/130271201/2581565.pdf
    • http://sigroymusic.com/uploads/1/3/0/5/130543198/leluba.pdf
    • http://einsteinsedibles.com/uploads/1/3/0/3/130324241/fumukuz-lewusuv-bolodite.pdf
    • http://quizzzila.com/uploads/1/3/0/6/130604568/27d74e126915e.pdf
    • http://rorybledsoe.com/uploads/1/3/0/6/130620730/firomelatuvukure.pdf
    • http://soundfulsoul.org/uploads/1/3/0/2/130270894/2142647.pdf
    • http://northolmstedgymnastics.com/uploads/1/3/0/4/130483558/2118928.pdf
    • http://churchillclubmedia.org/uploads/1/3/0/5/130541574/215494.pdf
    • http://amdberlin.com/uploads/1/3/0/4/130483184/9035665.pdf
    • http://mynaturalhairspa.com/uploads/1/3/0/7/130738984/130738984.html#risks+associated+epidural+blood+patch

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001246.bin
9d85c8d71e51a47b60b7781e097642f28ef5f3a3b1be7cc967208945f519b3f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1246 8880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.