Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9b56cabbef6d396…

MALICIOUS

PDF

53.3 KB Authoring application: OpenOffice Draw
MD5: 5882d595a44092e2233184cc6add16a6 SHA-1: a7dac01fc083426702a2f1070e6c518054d58da9 SHA-256: e9b56cabbef6d396e8f0d6f19cc85beaf04598248c8609ce7c197e2c455dd6fc
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents, a technique often used for SEO poisoning or phishing campaigns. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent. No scripts were extracted from this sample, and the document body was unreadable, but the link farm strongly suggests a malicious purpose.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.aarowfinancial.com/uploads/1/3/0/5/130539798/bapevatimizu_gabeb_safopa.pdf
    • http://bbartbyangelica.com/uploads/1/3/0/4/130435516/9883155.pdf
    • http://foreclosureprofits.ca/uploads/1/3/0/5/130540186/7051308.pdf
    • http://raidfinder.com/uploads/1/3/0/8/130814687/juzemobinepux.pdf
    • http://prosphatos.com/uploads/1/3/0/5/130541743/suzavewajufenu-vinapino.pdf
    • http://professionallawncareandlandscapingservicesnm.online/uploads/1/3/0/5/130588333/2043457.pdf
    • http://alpinetransit.com/uploads/1/3/0/6/130621313/warus.pdf
    • http://www.vegastoyhauleroutlet.com/uploads/1/3/0/6/130603834/fb496a.pdf
    • http://www.startanewria.com/uploads/1/3/0/5/130543996/c3369a.pdf
    • http://troop827.info/uploads/1/3/0/7/130739373/tujibaremakoju-remomag-tevomoti-rubonoxe.pdf
    • http://markkraemer.net/uploads/1/3/0/8/130814133/betesaruteso.pdf
    • http://uveitinapoli.com/uploads/1/3/0/7/130776498/seruzipumezazepi.pdf
    • http://hairbyjonathan.com/uploads/1/3/0/6/130604804/wakulalurufumu_gaparanuxam_mofupiposu_jagujokitudas.pdf
    • http://cheaptokeeptreesandlandscapes.org/uploads/1/3/0/6/130639634/tinuninasuzega.pdf
    • http://adsl-63-204-18-39.benefitplans.org/uploads/1/3/0/7/130775115/130775115.html#china-asean+free+trade+area+%28cafta%29

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000036cd.bin
2283e06596cb4fa930a752a1e6ab4c838418065fa4b60441d5fbacce75b29103		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36CD 18020 bytes
font_01_sfnt_off00005159.bin
bd74be1930b9ea86a4180eeb2a1dba49032f4796309945d9d7cb94e2455ee4a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5159 2628 bytes
font_02_sfnt_off00005a2f.bin
d39c6a27d86f1a9c52089e67956c852224c1e2c829141f1db46e7fc3d78b132b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A2F 7068 bytes
font_03_sfnt_off00007381.bin
9c13ace98edda1f6bbe1b85ba22c3440b5929e779bc7338bdd675407b764c06b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7381 9716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.