Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8b5c754eeaf507c…

MALICIOUS

PDF

40.5 KB Authoring application: LibreOffice
MD5: 6d1dc5ac726f8d76e47d9d1823464eea SHA-1: c3ccc3185dcf639352e7aa980a5c3c7d06f05a38 SHA-256: c8b5c754eeaf507c6cedfc7de38189ed49dd0514a3216d4ae718df0f86023586
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits a critical heuristic firing for PDF_SEO_LINK_FARM, indicating a mass of external links. ClamAV also detected it as Pdf.Phishing.TtraffRobotInstall. The embedded URLs are likely used to redirect users to phishing or malware distribution sites. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://daredogs.com/uploads/1/3/0/6/130622111/2606893.pdf
    • http://metropolitaneprep.com/uploads/1/3/0/5/130550708/8025695.pdf
    • http://www.mrahmedcomputing.co.uk/uploads/1/3/0/2/130270899/sumerepurarexufaxel.pdf
    • http://www.jbprotein.store/uploads/1/3/0/8/130813447/rubaril_nogusepaxufewu_raromevixe_zomumavoxawamof.pdf
    • http://nejucafe.com/uploads/1/3/0/7/130739256/4034923.pdf
    • http://steveslawnmowersales.com/uploads/1/3/0/7/130776266/4718182.pdf
    • http://smaese.com/uploads/1/3/0/7/130775725/xerivu-fizoloxu-managerisilemo.pdf
    • http://tabjs.com/uploads/1/3/0/4/130475994/dagemizibezijeze.pdf
    • http://bridesewbeautiful.org/uploads/1/3/0/4/130489222/4122515.pdf
    • http://elenatoscano.com/uploads/1/3/0/6/130604218/ff4b5d9eca.pdf
    • http://virginiacityrental.com/uploads/1/3/0/7/130738621/bojej.pdf
    • http://bark-blaster.com/uploads/1/3/0/6/130621610/savemomadi_dumitu_pulizekalafuba.pdf
    • http://northshorepaintinginc.com/uploads/1/3/0/6/130639540/3a420f62a54.pdf
    • http://reikisoundbliss.com/uploads/1/3/0/5/130543092/lodutadegemivi_vapimak.pdf
    • http://dhcenter.net/uploads/1/3/0/2/130271205/6637853.pdf
    • http://brukibaljan.com/uploads/1/3/0/8/130813846/fetov_dukenenuxezigo_lafobajilub_wipimupiwume.pdf
    • http://davidfert.com/uploads/1/3/0/5/130551904/3843510.pdf
    • http://ltlevine.com/uploads/1/3/0/2/130288673/gamami.pdf
    • http://tramontanafv.com/uploads/1/3/0/8/130813992/8826204.pdf
    • http://74-123-73-2.mgwnet.com/uploads/1/3/0/7/130775405/130775405.html#invasive+ductal+carcinoma+ductal+carcinoma+in+situ

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003eeb.bin
eff35e71bac3625814d9b79312b26b7f0e6584f981a1cb8a2b12fe3255fb16c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3EEB 8260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.