Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9add97223b1bd02…

MALICIOUS

PDF

40.4 KB Authoring application: OpenOffice.org
MD5: 56514b6624066d24f40edec7a8108738 SHA-1: 30616f5c9abd15b7ce9eea0a738fbe3b9767663d SHA-256: d9add97223b1bd024cd850cdc4901a483ee82177056e86709bb7cb7cb49f7c9c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded URLs pointing to external PDF documents hosted on various domains. This behavior is indicative of a link farm or SEO manipulation tactic, as flagged by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection further confirms its malicious nature. The embedded URLs are the primary IOCs, suggesting the document's purpose is to redirect users to these external resources, potentially for malicious advertising or to distribute further malware.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://simoncdrew.com/uploads/1/3/0/6/130639781/tarodogokozew-xomojeref.pdf
    • http://sporttihetki.net/uploads/1/3/0/6/130605203/vamijokemixamuzawize.pdf
    • http://jjbeef.com/uploads/1/3/0/4/130483817/tedovezin_zagibebakekas_semalowa.pdf
    • http://ludipu.adwords-about.com/uploads/2020/01/27/5886312f8a45fc3.pdf
    • http://nija.maslo-moto.com/uploads/2020/01/28/wokulok_giveba.pdf
    • http://bgfireprotection.com/uploads/1/3/0/6/130604744/9061193.pdf
    • http://daturafashion.com/uploads/1/3/0/6/130604421/33f2d7f6e7759a2.pdf
    • http://recure.eu/uploads/1/3/0/4/130488332/61e7cc.pdf
    • https://rukokokug.weebly.com/uploads/1/3/0/4/130436014/jagen.pdf
    • http://kixaja.krasiva24.com/uploads/2020/01/27/sudakemupadon.pdf
    • https://rululofizujuko.weebly.com/uploads/1/3/0/5/130589268/2057377.pdf
    • http://zivugero.minzdravbioshop.ru/uploads/2020/01/29/pexifulaz-kewaxigirineb-befukef.pdf
    • http://goldsmitsydnor.com/uploads/1/3/0/2/130288909/9fab112f5.pdf
    • http://lookatyouus.com/uploads/1/3/0/6/130605504/97eb6732fb3787.pdf
    • https://vixilirab.weebly.com/uploads/1/3/0/2/130292173/duxavetidez.pdf
    • http://suncom.us/uploads/1/3/0/6/130604988/fupezoxezi-tisabatu-lunok-kidejajuje.pdf
    • http://watersidersnbpt.com/uploads/1/3/0/5/130589276/kamelusowebomok-pojanuku-lowafelo.pdf
    • https://sotakemuguw.weebly.com/uploads/1/3/0/3/130323400/vijaporig-bimena.pdf
    • http://mrstinabullteacher.com/uploads/1/3/0/6/130603704/8213079.pdf
    • http://designbycarollea.com/uploads/1/3/0/6/130639764/ac4b933.pdf
    • http://zhangxiaoyan.info/uploads/1/3/0/4/130483478/4e8adc6236c.pdf
    • http://xemepumiw.fotografs.ru/uploads/2020/01/28/velakepo.pdf
    • http://utpgroupservices.com/uploads/1/3/0/3/130313194/1760180.pdf
    • http://debbiechristie.com/uploads/1/3/0/6/130604388/4061958.pdf
    • http://chelseabaybooks.com/uploads/1/3/0/2/130289625/tigimuwofawapeb.pdf
    • http://misbailes.com/uploads/1/3/0/4/130476736/130476736.html#cambridge+dictionary+free++for+pc+offline

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017c5.bin
0e16cb926e907981f7cc9cc8463deeb7d7cc194953fc4bf2e81d2a040ca3d13d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C5 7716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.