Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5d42e4f66c31b2b…

MALICIOUS

PDF

37.7 KB Authoring application: LibreOffice Draw
MD5: f1e660283f1a81f938ae8652a42d8e92 SHA-1: a3a17cf1d8528a7b257f10264db240b0f72281e5 SHA-256: c5d42e4f66c31b2bdc667f414b5aaa0df57da6c0b8ed3b5e5b7eca2b629addb8
162 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File Execution: User Execution T1059.003 Command and Scripting Interpreter: Windows Command Shell

The PDF contains a large number of external links, many of which point to PDF files on similar domains, suggesting a link farm or SEO poisoning tactic. The 'SE_CLICKFIX' heuristic indicates the document likely instructs the user to press Win+R or paste a command into a terminal, a common social engineering technique to bypass macro restrictions. This suggests the document's primary purpose is to trick the user into executing a command that would likely download and execute a secondary payload from one of the embedded URLs.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dazluq.com/uploads/1/3/0/7/130775242/37275f58ad.pdf
    • http://ianburnley-studio.net/uploads/1/3/0/6/130604737/6409431.pdf
    • http://essentialaffair.com/uploads/1/3/0/6/130604311/8472005.pdf
    • http://www.morefm917.com/uploads/1/3/0/6/130621051/6376412.pdf
    • http://lockdog.com/uploads/1/3/0/2/130272925/7434332.pdf
    • http://onsightcoffee.com/uploads/1/3/0/2/130289259/7625415.pdf
    • http://harleesalazarphotography.com/uploads/1/3/0/5/130551576/sodagexix.pdf
    • http://living-sustainably.org/uploads/1/3/0/7/130739853/toxijopidugid.pdf
    • http://ithamarenriquez.com/uploads/1/3/0/5/130540767/xusewiwefuro_xokabole_nunil_fodijiputin.pdf
    • http://www.adentacolombia.com/uploads/1/3/0/6/130604562/pereteribe_xadizomew_narafo_sovadizuze.pdf
    • http://aberbala.com/uploads/1/3/0/5/130589115/9663447.pdf
    • http://clucktruckportland.com/uploads/1/3/0/4/130436049/jerenivevetuti.pdf
    • http://scopehomeinspection.com/uploads/1/3/0/5/130589399/8627648.pdf
    • http://sblimexprnce.com/uploads/1/3/0/6/130620818/xupedom.pdf
    • http://joshhutson.net/uploads/1/3/0/7/130740344/wimaful_xulewa.pdf
    • http://determinedtolearn.info/uploads/1/3/0/7/130776493/wabusaradivof.pdf
    • http://www.basicboard.com/uploads/1/3/0/3/130379427/a57e0a0a0b86dc2.pdf
    • http://sufistudies.org/uploads/1/3/0/6/130604447/luvumizoxinaseru.pdf
    • http://cqe8.brdge.org/uploads/1/3/0/6/130604993/130604993.html#cisco+access+point+static+ip+address

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000354a.bin
d5e04f44ac6ba681fbcb9a5b70cdff7d8bfceaab0790cc3e441906f4a77cc680		 pdf-font-stream PDF embedded font (sfnt) at offset 0x354A 8172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.