Malicious PDF — malware analysis report

Static analysis result for SHA-256 efb6d45ee311c5f3…

MALICIOUS

PDF

37.7 KB Authoring application: LibreOffice Draw
MD5: 686c644e9b79b1bc41b4a83708bfa5c2 SHA-1: 91ae363e6b3cb38504ce5d0a09e9d1a5c6b37bed SHA-256: efb6d45ee311c5f3db95e2ffc23e8caa6857569e61f6d1ee6f03f708d6acecce
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents hosted on various domains. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.thecommonwealproject.com/uploads/1/3/0/9/130969293/viretirexigap_livur_batuzeg_vuwela.pdf
    • http://scottbrownconsults.com/uploads/1/3/0/7/130775123/8743bb892.pdf
    • http://adoxian.com/uploads/1/3/0/4/130489128/6035191.pdf
    • http://tryshashby-rolls.com/uploads/1/3/0/6/130604230/tolav.pdf
    • http://hairbycharise.com/uploads/1/3/0/3/130323705/pefukebo.pdf
    • http://jourdanton66.com/uploads/1/3/0/6/130620300/raliwefugorapux.pdf
    • http://mta-sts.mail.assekuranz.pro/uploads/1/3/0/7/130775634/jebajilojozimabaga.pdf
    • http://www.derjusa.com/uploads/1/3/0/2/130272355/jimafaduwod_vutasozaw_finav_burenuz.pdf
    • http://ketoqr.com/uploads/1/3/0/7/130776229/73eecf273394.pdf
    • http://teamboatenginsurance.com/uploads/1/3/0/6/130639440/abc9dba2940b.pdf
    • http://katieforcarteret.net/uploads/1/3/0/4/130476208/9336745.pdf
    • http://selfhelpportal.com/uploads/1/3/0/6/130620561/187790663.pdf
    • http://pamaentertainment.com/uploads/1/3/0/5/130542935/3346995.pdf
    • http://americandetailing.net/uploads/1/3/0/2/130289767/mutamedavujujobe.pdf
    • http://realsignaturestyle.com/uploads/1/3/0/7/130775245/zeboni_sofawaxo.pdf
    • http://www.test.maurermobileblasting.com/uploads/1/3/0/6/130620731/1917381.pdf
    • http://carolinetreanorglobal.com/uploads/1/3/0/7/130776166/tororidif-morukawinew-roduvojuburos-kitavav.pdf
    • http://olympic-custom-construction.com/uploads/1/3/0/4/130476273/9160478.pdf
    • http://jennyoakley.com/uploads/1/3/0/5/130539992/rapozokog_busep_mimivapo_vufigip.pdf
    • http://katiaponomareva.com/uploads/1/3/0/5/130551518/3410081.pdf
    • http://a1704703xstreamtravel.xsideas.com/uploads/1/3/0/4/130489742/130489742.html#edgar+allan+poe+biography+quizlet
    • http://tryshashby-rolls.com/uploads/1/3/0/6/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003417.bin
6285528c758f3b5d4d70ac5fdd9ba0386e6e31986281aef4e46404eec58ad74b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3417 7744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.