Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7e97e147d148686…

MALICIOUS

PDF

72.0 KB Authoring application: LibreOffice
MD5: 6752f73cdfd8cfe94edbd2f304eaea15 SHA-1: b46d275531fab22f6380d586f15fce1aa3d68bba SHA-256: d7e97e147d1486869a3885cd49715bdff9b444efd8d97a03411ec02dfc896895
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This technique is often used to distribute malicious content or conduct phishing attacks by overwhelming search engines with links to malicious sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic-robot-based malicious intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cavalcadeofkink.com/uploads/1/3/0/6/130620763/db2db292f182164.pdf
    • http://supergcoating.com/uploads/1/3/0/6/130605373/popexojo.pdf
    • http://3dprintedgospel.com/uploads/1/3/0/6/130639558/4999865302295c4.pdf
    • http://www.armoryheritage.com/uploads/1/3/0/6/130620964/gufeza.pdf
    • http://www.rbframingco.com/uploads/1/3/0/6/130621531/tosusovixeduji_feguxamakafaro_pusaxasoxalidiw.pdf
    • http://www.buildershare.co.nz/uploads/1/3/0/5/130541950/b49b766948221b9.pdf
    • http://arictran.com/uploads/1/3/0/7/130776720/ganunavebifozudowaf.pdf
    • http://riverviewcottage.info/uploads/1/3/0/9/130969842/1972687.pdf
    • http://hubsinhalf.com/uploads/1/3/0/2/130287932/7241d54d2e2da.pdf
    • http://mynorthlakedemo.com/uploads/1/3/0/8/130874394/288630.pdf
    • http://arizonacustomgraphics.com/uploads/1/3/0/8/130813736/gujabezarirev.pdf
    • http://nobros.net/uploads/1/3/0/6/130639831/jexusul-buzelamudotizu.pdf
    • http://www.claudiasdeliciousdishes.com/uploads/1/3/0/6/130621072/911937.pdf
    • http://nobodyssafeapparel.com/uploads/1/3/0/2/130289476/561009188.pdf
    • http://nrv-ayurveda-foundation.org/uploads/1/3/0/5/130590355/d96f33.pdf
    • http://newdaymetaphysical.com/uploads/1/3/0/7/130739087/8568391.pdf
    • http://remisesugartepremium.com/uploads/1/3/0/7/130775458/1a1674f1acffb.pdf
    • http://magneticmindz.com/uploads/1/3/0/6/130604729/7341299.pdf
    • http://alpinetransportationgroup.com/uploads/1/3/0/5/130545885/jebepov_xabadokopusoni_waligawit.pdf
    • http://www.magicalgourmet.com/uploads/1/3/0/6/130604775/130604775.html#apache+openoffice+portable+for+mac

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003385.bin
57ab9563b93709fdd7a716e21cede2f27f3b6b500259d68a041fdcb0de1a569d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3385 6336 bytes
font_01_sfnt_off0000475f.bin
bbd465158f88620f6b89bbc14fd4053a393fda34b464cf5d9625b9580ee6f51f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x475F 10240 bytes
font_02_sfnt_off00005cdf.bin
b1118302c5517eb61a6a239cbb0c0398f36a596cc95e76ebefef7294164c1510		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CDF 7316 bytes
font_03_sfnt_off00006f2e.bin
a47959a8a0c44ddf6b8e998b6dd727bd4d99d6980137c168d359ab97f64ba13a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F2E 5032 bytes
font_04_sfnt_off00007ddd.bin
750c92fa1db5810c6de6b1040e9c0837d38486580b44de1cde3f2eb8b8040d63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DDD 6664 bytes
font_05_sfnt_off00008ea3.bin
4c93801c4768b9cf34ec960e4f85d683fdbe353adcc5a9e70f9f8b41c5e92470		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EA3 3508 bytes
font_06_sfnt_off00009a6f.bin
a698bf74a6b91010e90e2891ccde8bbe917d6cb64c35f07d6b7285511bd4a274		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A6F 16860 bytes
font_07_sfnt_off0000b58a.bin
8884696cc8fbe62ed2512d52df2573e4a45fb62ad7a3567c3f848ca958e3aa8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB58A 11404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.