Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccc110a6df684436…

MALICIOUS

PDF

35.9 KB Authoring application: LibreOffice
MD5: 4151aa486c47d4474d77b0a48864e6b1 SHA-1: c972d74ad6cd2958fecc495257967798b070757e SHA-256: ccc110a6df6844362dcdfcf452708284f12964066d20c7ca631c221f73caa82b
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded external links, identified as a PDF_SEO_LINK_FARM heuristic. This suggests the document is designed to redirect users to a multitude of other PDF files hosted across various domains. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious redirection intent. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kingdomartisans.org/uploads/1/3/0/5/130589312/kejaduzexiw.pdf
    • http://coltsound.com/uploads/1/3/0/7/130775817/zorol_dokosilen_rasak_dozunakotuw.pdf
    • http://ruanntiller.com/uploads/1/3/0/4/130476412/rerowojeku.pdf
    • http://branchlutheranschoolshaiti.net/uploads/1/3/0/6/130620587/gudanefa.pdf
    • http://mechapocalypse.net/uploads/1/3/0/4/130488834/e81c22a07f417.pdf
    • http://bangkokplasticsurgery.net/uploads/1/3/0/7/130775304/1204099.pdf
    • http://bonniesminiaturedolls.com/uploads/1/3/0/8/130874059/8628195.pdf
    • http://curanna.com/uploads/1/3/0/3/130323703/c321f.pdf
    • http://nanba-ryu.com/uploads/1/3/0/6/130640125/ec30002663.pdf
    • http://uicasda.net/uploads/1/3/0/4/130489467/4d34addda03a4fa.pdf
    • http://aninhastore.com/uploads/1/3/0/7/130738555/xevogeresuferol.pdf
    • http://endofthecredits.com/uploads/1/3/0/4/130476565/sewadepozijen-gafuvikufupime-dejoratijesafo.pdf
    • http://sunnydoggrooming.com/uploads/1/3/0/6/130621333/895668.pdf
    • http://willrmccarthy.com/uploads/1/3/0/7/130776591/e70b56cfa6c.pdf
    • http://rightmovecolorado.com/uploads/1/3/0/7/130775536/ferupimovanebiparove.pdf
    • http://moralguard.org/uploads/1/3/0/8/130815124/5faaae6.pdf
    • http://sbtopics.com/uploads/1/3/0/7/130739564/nopojax.pdf
    • http://adsl-63-204-18-47.benefitplans.org/uploads/1/3/0/5/130538996/130538996.html#hikvision+analogue+dome+camera
    • http://sunnydoggrooming.com/uploads/1/3/0/6/130621333/895668.pd

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d50.bin
f941b358fec9d7ef4ff56f10c0cf554208028ae303ed4a491df49b20cbdfcadf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D50 8668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.