Malicious PDF — malware analysis report

Static analysis result for SHA-256 be0ea8145dc7044c…

MALICIOUS

PDF

46.7 KB Authoring application: OpenOffice Draw
MD5: 55d4533f2756fcdee1220094e4aaa786 SHA-1: ede7fb21fd7603c98981a75231d8a22fe60e28f5 SHA-256: be0ea8145dc7044c1e03b841ef2537826738fe7846d9f8e9ed18102e11a76060
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a large number of embedded external links, indicating a link farm designed to redirect users to potentially malicious content. The document body contains references to applications and games, possibly as a lure. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://silvertonnaz.com/uploads/1/3/0/4/130483256/2110b61d.pdf
    • http://marinbasic.com/uploads/1/3/0/6/130621190/gububom-difonegena-govis.pdf
    • http://nishati-healer.org/uploads/1/3/0/4/130488700/wabupu_kamaxog.pdf
    • http://omrr.org/uploads/1/3/0/3/130323693/921785e7d34e0c.pdf
    • http://suitsforteens.org/uploads/1/3/0/4/130435846/lofom.pdf
    • http://kidkazoo.net/uploads/1/3/0/5/130543941/5362889.pdf
    • http://meshayla.com/uploads/1/3/0/4/130476747/130476747.html#atom+launcher+apk+free

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001128.bin
fae28a80d2bdaa6ba83715eaf5b7f2ae4b576cc8ec2a8f16fb16c68dcd166e58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1128 9068 bytes
font_01_sfnt_off00006885.bin
0efc485bfecffc3e9ad601ef019a4ed7c4acd3ce5dcf48e6d21f45b21f0bad0f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6885 1576 bytes
font_02_sfnt_off00006fd1.bin
5ddca39e6fd2324dd92930cf44ae6cbd77a84e5c6b4c6d75749c14e063592935		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FD1 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.