Malicious PDF — malware analysis report

Static analysis result for SHA-256 c52f797795643429…

MALICIOUS

PDF

51.3 KB Authoring application: LibreOffice
MD5: e359c34819553d35cc88de40359d1c9c SHA-1: 870f20bcdb0d2de032aacf647bac6f4c9befd8d4 SHA-256: c52f7977956434290448a096ed81647b476b573fe2b0e80e4923b5dde6e09ffd
162 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDFs, a technique often used for SEO poisoning or to distribute malicious content. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document may be instructing the user to open a password-protected archive, which is a common tactic to bypass security scans. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further confirms its malicious nature, likely related to traffic redirection or phishing. The document body itself contains a link to 'http://numaluvuf.familiarizarse.info/uploads/2020/01/28/8894240.pdf', reinforcing the link farm heuristic.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://numaluvuf.familiarizarse.info/uploads/2020/01/28/8894240.pdf
    • http://ms-holly-hagman.com/uploads/1/3/0/6/130620928/talujiroxanar.pdf
    • http://adentapoland.com/uploads/1/3/0/3/130323337/felolile.pdf
    • http://gixowuned.gk-absolutstroy.ru/uploads/2020/01/28/4878222.pdf
    • http://fitrition.com.au/uploads/1/3/0/4/130476205/mikotovepeforuje.pdf
    • http://padmasitaa.online/uploads/1/3/0/6/130639476/majeweludujob.pdf
    • http://amredco.com/uploads/1/3/0/2/130289393/ab347c19896a.pdf
    • http://clarionbobcatfootball.com/uploads/1/3/0/5/130589044/gosuxaf_mipudovasuw_fagoxopajida_xetagezizozi.pdf
    • http://termdirect.com/uploads/1/3/0/6/130639438/4797127.pdf
    • http://mdcurbside.net/uploads/1/3/0/2/130289662/c600a0dd92d.pdf
    • http://premierbeachpropertymanagement.com/uploads/1/3/0/5/130588740/739879.pdf
    • http://momandpopeshop.com/uploads/1/3/0/5/130588551/7464895.pdf
    • http://agencepro-pose.com/uploads/1/3/0/5/130588968/130588968.html#oracle+11g+express

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001268.bin
7cdbd7fee4630cab574fb459583a95b0bfa41d9078c1d7cb0e947112a4230519		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1268 8388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.