Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebd0e2db851c7a0a…

MALICIOUS

PDF

36.5 KB Authoring application: LibreOffice
MD5: 44b1e367dbf7a7377f52bcbb127a9d26 SHA-1: 370cf1427984f5fe4e0b462a895757bc526d3803 SHA-256: ebd0e2db851c7a0ae693da9443f9068a94f9168e8cb7ad53736bee918de95e57
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF documents, a technique often used for SEO manipulation or to distribute malware. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent. No scripts were extracted from this sample, but the extensive link farm suggests a delivery mechanism for potentially malicious content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://olqm.us/uploads/1/3/0/3/130324324/zisijapolon.pdf
    • http://suxukirobo.kropanev.online/uploads/2020/01/28/bopuvunagop.pdf
    • http://mieterbeirat.eu/uploads/1/3/0/6/130639175/8fcc808e50ebd2b.pdf
    • https://tipimofugera.weebly.com/uploads/1/3/0/5/130589389/9424687.pdf
    • http://coateschicken.com/uploads/1/3/0/6/130604226/1187241.pdf
    • http://chewoncakes.com/uploads/1/3/0/7/130739175/zixopumemasabik.pdf
    • http://monarchmagic.com/uploads/1/3/0/6/130639100/303d3c1.pdf
    • http://nobiw.ichildroom.ru/uploads/2020/01/28/waxam.pdf
    • http://serpboards.com/uploads/1/3/0/5/130541624/jewuxezafowo.pdf
    • http://nupelicanparty.org/uploads/1/3/0/7/130739628/130739628.html#vine+a+adorarte+letra+y+acordes

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001218.bin
f2f80c74564feb0818b92569f372c9a8624a69087cb958821e4d83975031a228		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1218 9428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.