Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccb6075b2d8f336d…

MALICIOUS

PDF

42.8 KB Authoring application: OpenOffice.org
MD5: 6afd0d37f06d34ad369bc7dc4d1964ca SHA-1: 3b671a2a58ada2468be28ae1dfaa4310b0509315 SHA-256: ccb6075b2d8f336d8e34a330a74c33af462d05c9fbf8140473203e636a0c3006
120 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 User Execution: Malicious Link T1566.002 Phishing: Spearphishing Link

The sample is identified as a PDF link farm via the PDF_SEO_LINK_FARM heuristic, containing 25 external links to other PDFs hosted on disparate domains. The document body consists of largely obfuscated or garbled text, which is typical for SEO spam PDFs used to trick search engines and redirect users. ClamAV detection as Pdf.Phishing.TtraffRobotInstall further supports the classification as a phishing delivery mechanism.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ailesburylite.com/uploads/1/3/0/4/130476887/vozawinove_jibeteporosir.pdf
    • http://sexoembrasilia.com/uploads/1/3/0/5/130539022/vebavaka-wurodabaseweja-tewinalimewo.pdf
    • http://mytwobreastfriends.net/uploads/1/3/0/7/130776672/5983703.pdf
    • http://yourlovedoneshomehealthcare.com/uploads/1/3/0/7/130775189/34246.pdf
    • http://artm.website/uploads/1/3/0/5/130546645/vujasuxetevane-nawuruberevamuk-soxeni.pdf
    • http://hostmaster.nolimitsfriends.it/uploads/1/3/0/4/130483454/roluj_tudejibuv_jovawen_papez.pdf
    • http://palmettoquant.org/uploads/1/3/0/6/130604653/d6c03d192a2b.pdf
    • http://dlrapartments.com/uploads/1/3/0/6/130620811/f22e7e39d4546d.pdf
    • http://boucherlandscaping.net/uploads/1/3/0/8/130814066/9793309.pdf
    • http://artwithaplan.com/uploads/1/3/0/4/130489228/mewepima.pdf
    • http://rancho-oaks-gs.org/uploads/1/3/0/5/130539678/3822897.pdf
    • http://rachaelcrossman.com/uploads/1/3/0/5/130551597/851515193c.pdf
    • http://aestheticsplus.co/uploads/1/3/0/7/130776034/libuzifoduxevuwer.pdf
    • http://mustardseedboutiquemass.com/uploads/1/3/0/5/130543054/wojomim_dotapegane_kusimezake.pdf
    • http://juvefc.football/uploads/1/3/0/7/130738969/0be106.pdf
    • http://naturalroofingslates.net/uploads/1/3/0/2/130291536/494746.pdf
    • http://gibbsfin.com/uploads/1/3/0/3/130323163/sotige-ferij-japabaz-fuzapejasik.pdf
    • http://galleriesbyjulissa.com/uploads/1/3/0/4/130494389/2902697.pdf
    • http://cup054.com/uploads/1/3/0/6/130621708/5289393.pdf
    • http://midtrans.online/uploads/1/3/0/8/130874136/navajap-pekarosebuli.pdf
    • http://s.econ2u.com/uploads/1/3/0/2/130288380/5646015.pdf
    • http://virtuousink.net/uploads/1/3/0/6/130639719/wezabunatikinivovefe.pdf
    • http://mrlapta.com/uploads/1/3/0/2/130291699/508b753b7b.pdf
    • http://server.signatureofstuart.com/uploads/1/3/0/2/130272364/nobemes.pdf
    • http://performedgehtx.com/uploads/1/3/0/6/130605497/kofevutotekefovogow.pdf
    • http://rockandrowel.com/uploads/1/3/0/3/130313307/130313307.html#tubular+renal+acidosis+medscape

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004220.bin
892a90c7a0f8392c935592eb06105bafc30d4b92cc80195a820de0862621f019		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4220 8344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.