Malicious PDF — malware analysis report

Static analysis result for SHA-256 d976eec2795bbf5f…

MALICIOUS

PDF

47.3 KB Authoring application: LibreOffice
MD5: 5c90f7e6512b32cafae31c9b561dbc51 SHA-1: 6097e10cc1b19df4a21acf867b46f0cfd158e87a SHA-256: d976eec2795bbf5f5f6f6bbdb2907c639401ef2b67df9385daf06b6b7b75f418
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent. The document body, though partially corrupted, appears to be a template for a company's founding act, suggesting a lure to trick users into visiting potentially harmful sites disguised as legitimate documents.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xiaodiya.com/uploads/1/3/0/5/130550833/0e36c.pdf
    • http://rentalandroomate.com/uploads/1/3/0/6/130604996/kiwifoxokisojex.pdf
    • http://thestorystudiohk.com/uploads/1/3/0/6/130621579/nesixebigogega.pdf
    • http://uvirtualcare.com/uploads/1/3/0/6/130621128/9943928.pdf
    • http://specialistspharmacy.com/uploads/1/3/0/2/130270932/laruwewatewo.pdf
    • http://missmenot.online/uploads/1/3/0/3/130323212/5907a.pdf
    • http://borkayjan.com/uploads/1/3/0/6/130639710/dovajoxumuvus_ketitilefizu_woruxobisag_xuvalagoluroru.pdf
    • http://bonkerforbyram.com/uploads/1/3/0/3/130323151/nenotomoku.pdf
    • http://imagingplanet.com/uploads/1/3/0/6/130621527/af99634d01332.pdf
    • http://gjgoodiegourmet.com/uploads/1/3/0/6/130621893/tesaludube.pdf
    • http://trekkerapp.net/uploads/1/3/0/6/130620899/5286781.pdf
    • http://emilystearns.org/uploads/1/3/0/3/130323206/651401.pdf
    • http://host2.carmichaelnl.com/uploads/1/3/0/6/130621965/130621965.html#ejemplo+de+acta+constitutiva+de+una+sociedad+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060e7.bin
5a93f607457ade28351a609d13d944788ee27503b034d6161e364f0ef4e083b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60E7 8996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.