Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd786c00c0af672c…

MALICIOUS

PDF

50.1 KB Authoring application: OpenOffice.org
MD5: eb352df4275c9cb7ee62d6f5c38f9a41 SHA-1: ac070fd88fc6037ff639b39d640c873b25cf3a5a SHA-256: bd786c00c0af672c7e18ddf8b33e73598983cb5150a424e173d862994bacc4b6
162 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains a fake CAPTCHA lure to deceive users into interacting with the document. It also hosts a large number of external links, with the primary suspicious URL being http://giritaravi.catiacristais.com/uploads/2020/01/28/getilukikurasu.pdf. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports its malicious nature, indicating a phishing or traffic redirection purpose.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://giritaravi.catiacristais.com/uploads/2020/01/28/getilukikurasu.pdf
    • https://pegesusop.weebly.com/uploads/1/3/0/6/130605161/wapewifazav-napozudizapiv-sukuzajag-zadomu.pdf
    • http://belezoru.labdo.net/uploads/2020/01/29/tewunupazinup.pdf
    • https://rulonajatuw.weebly.com/uploads/1/3/0/5/130551726/lelivafikewo-jevujenaximej.pdf
    • http://nitegeka.myshop15.site/uploads/2020/01/27/67a2b0.pdf
    • https://sevuridavanesos.weebly.com/uploads/1/3/0/4/130491932/vezimimiwuzepok.pdf
    • http://merrymanchiropractic.com/uploads/1/3/0/5/130589305/86907c170f.pdf
    • http://capitalecowash.com/uploads/1/3/0/5/130546343/994c63d1210a1.pdf
    • http://timezofaj.gbpfinancials.com/uploads/2020/01/28/pagevube-mijisisowe.pdf
    • http://doctor-frank.ru/uploads/2020/01/27/gamimuxase_veborudem.pdf
    • http://matone.ru/uploads/2020/01/27/977a61.pdf
    • http://jogdance.com/uploads/1/3/0/6/130621401/89dc40c7.pdf
    • http://dute.hayatimbirfilm.com/uploads/2020/01/28/4704928.pdf
    • http://duwudin.flashapp.online/uploads/2020/01/27/ca38bc05bd50.pdf
    • http://kuvurusiv.jen-sovety.info/uploads/2020/01/27/a2fad42c.pdf
    • http://deevki.icu/uploads/2020/01/28/gomagilu.pdf
    • http://somersetfoodtrail.org/uploads/1/3/0/3/130379611/130379611.html#bypass+frp+android+6+apk+free

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014d4.bin
2c829df1d32576a9fd7ca7d8abf9f8d039780cf9b92c016d5e6875ff201e40bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D4 8660 bytes
font_01_sfnt_off000076c8.bin
93c6e29fa0715075740ca313f0a7025c88f1eb15b26c53dd9cab0c0d981d2943		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76C8 12344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.