Malicious PDF — malware analysis report

Static analysis result for SHA-256 e168a3fbd37676fb…

MALICIOUS

PDF

47.7 KB Authoring application: OpenOffice.org
MD5: 54b5f431a3677a91a3076e8b4133d95b SHA-1: 4829b3bdcfe71e0680fe0965432f00d901315864 SHA-256: e168a3fbd37676fbcb0e78446fb40601a21ac5d725e764f9b73850bfed297cf6
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to external PDF files across multiple domains. This behavior is indicative of a link farm designed to redirect users to malicious content or phishing sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing classification.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://frankieharrer.com/uploads/1/3/0/4/130488498/8187654.pdf
    • http://albanystudentpress.com/uploads/1/3/0/6/130639227/voweduveronexu.pdf
    • http://betawilloughby.com/uploads/1/3/0/6/130639963/3298763.pdf
    • http://spintosouza.com/uploads/1/3/0/2/130272631/vivosa.pdf
    • http://daybreakerstest.com/uploads/1/3/0/3/130323302/wozulon.pdf
    • http://1123rd.com/uploads/1/3/0/5/130539449/kitulowe.pdf
    • http://sagensparrow.com/uploads/1/3/0/5/130548070/fukulatafonoko_kojeboz.pdf
    • http://sharedtravel.voyagerwebsites.com/uploads/1/3/0/6/130621942/130621942.html#partial+achilles+tendon+tear+ultrasound

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000119c.bin
33469ec4bca04f26e9622764d0192ffc3ed059c368f54f2d1fd165772799d38c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119C 9256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.