Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0ef265728f54010…

MALICIOUS

PDF

29.3 KB Authoring application: LibreOffice Draw
MD5: 73c897fbca9d29b2d807b4655832fe89 SHA-1: 8cbc94a82f01ed234eb38acb5239fb26fd4c093f SHA-256: c0ef265728f540108e1b9ca117bff334a571e9a635a4548c20a8567efac3f686
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file was identified as malicious by ClamAV with the signature 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a significant number of embedded external links, a technique often used in SEO poisoning or phishing campaigns to redirect users to malicious sites. The document body, while containing seemingly innocuous text about 'Ionic compound nomenclature worksheet', also contains these numerous links, reinforcing the malicious intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ohaivyisroel.org/uploads/1/3/0/6/130604032/laropunepasok-pewupewuwa.pdf
    • http://minouxjewelry.net/uploads/1/3/0/4/130483895/rilegufew.pdf
    • http://cocosartisanscollective.org/uploads/1/3/0/4/130477309/xoxuxirarumosir.pdf
    • http://norselandmedal.com/uploads/1/3/0/5/130544070/sefinawomuxis_zilase.pdf
    • http://saline.isabellaestetica.com/uploads/2020/01/29/dc371d7d3af0dc.pdf
    • http://kurzyhs.info/uploads/1/3/0/5/130539584/6679297.pdf
    • http://myrawilliamsottewell.com/uploads/1/3/0/5/130550834/684796.pdf
    • http://newperspectivemedical.com/uploads/1/3/0/6/130621642/130621642.html#ionic+compound+nomenclature+worksheet+1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001152.bin
d119f46481cf943f4b069447f985a28e5b247437824340fdbc1a1646b0cc8c48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1152 7716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.