Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4b071a4066b3fff…

MALICIOUS

PDF

37.1 KB Authoring application: OpenOffice Draw
MD5: 6da625e4ac869a440e5160775db71025 SHA-1: 4d4b4855bf63bc1dc205ec0e9f404126eb034bff SHA-256: c4b071a4066b3fff8feaa506bff6b6cb2daf2b685575a5c190491252796a1029
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as detected by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further suggests a phishing or traffic-driving intent. The document body is heavily obfuscated and unreadable, but the presence of numerous links to other PDF files on unrelated domains indicates a likely attempt to manipulate search engine results or distribute malicious content through a link farm.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://designingyourown.com/uploads/1/3/0/6/130604030/6488217.pdf
    • http://nfloo.com/uploads/1/3/0/7/130738912/ad0e2a171a6a5.pdf
    • http://cafecontinental.net/uploads/1/3/0/9/130969298/3731626.pdf
    • http://arareity.org/uploads/1/3/0/6/130621708/41a926f7ee22.pdf
    • http://noboysbeauty.com/uploads/1/3/0/2/130289549/bea4f37afb.pdf
    • http://chiavevents.com/uploads/1/3/0/5/130542909/2028579.pdf
    • http://petersand.net/uploads/1/3/0/5/130588499/52af69cb544c.pdf
    • http://modernmedicalplans.com/uploads/1/3/0/7/130775503/8425717.pdf
    • http://carlyzimmerman.com/uploads/1/3/0/7/130740514/gamibowim.pdf
    • http://mrhibbert.com/uploads/1/3/0/6/130639678/bogeroxufekijuget.pdf
    • http://truedetermination.shop/uploads/1/3/0/7/130739080/zetuta.pdf
    • http://candroid.net/uploads/1/3/0/2/130273987/nobijavisosedit.pdf
    • http://bigd401k.com/uploads/1/3/0/8/130813372/6958151.pdf
    • http://whitneyswings.com/uploads/1/3/0/6/130605229/17eb5c.pdf
    • http://hattrickvideo.com/uploads/1/3/0/6/130621238/lokobomubekubol-pojejesa-mabowobifoso-wapunububogu.pdf
    • http://enem2023.org/uploads/1/3/0/6/130621167/07eaa03ce22.pdf
    • http://victhebody.com/uploads/1/3/0/6/130639224/jeledekodur.pdf
    • http://knowlesdoor.com/uploads/1/3/0/3/130313320/d7a8609f05b.pdf
    • http://ragecola.com/uploads/1/3/0/7/130775665/bajuraloni_vumuj_pezovimofeja.pdf
    • http://x0477123xstreamtravel.xsideas.com/uploads/1/3/0/4/130476493/130476493.html#ed+ing+adjectives+speaking

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000031bd.bin
8b33a5032b41a968dc77966138fa00c0d3d75b4b5bd2addc8702908c06037c60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31BD 8192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.