Malicious PDF — malware analysis report

Static analysis result for SHA-256 f75043db5c1f0bc2…

MALICIOUS

PDF

50.1 KB Authoring application: OpenOffice Draw
MD5: 4859bc3949980e9da0c0c88a43f519ff SHA-1: 26d5f7a5c351f34fff7568705dc96a7dfa58aa00 SHA-256: f75043db5c1f0bc2acda5e4c6fac063b07b9e01ce17178a4f0dbda54eddf0d95
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to external PDF documents, a technique often used for SEO manipulation or to host phishing content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The document body contains some text related to 'Casais de doramas' but is heavily corrupted, making its direct intent unclear, but the embedded URLs are the primary indicators of malicious activity.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://irministorage.com/uploads/1/3/0/6/130620519/5504235.pdf
    • http://bindiyaaravandekar.com/uploads/1/3/0/4/130488073/9839683.pdf
    • http://matapowuge.vizitki-listovki.ru/uploads/2020/01/28/525345.pdf
    • http://thepipcup.com/uploads/1/3/0/4/130475918/42c0d8.pdf
    • http://wubimu.svetofot.ru/uploads/2020/01/27/3769274.pdf
    • http://twoparty.ru/uploads/2020/01/27/506553.pdf
    • https://bezanixato.weebly.com/uploads/1/3/0/3/130313005/bimaniwedi.pdf
    • http://wegelexi.zapad-auto.com/uploads/2020/01/29/fadopixumo.pdf
    • http://bajasharkdiving.com/uploads/1/3/0/4/130478975/vozuravesejiviku.pdf
    • https://zokaririgofu.weebly.com/uploads/1/3/0/4/130489055/ec501fea3d5.pdf
    • https://jogodijijutixax.weebly.com/uploads/1/3/0/4/130483540/8253402.pdf
    • http://alsubhitradingltd.com/uploads/1/3/0/5/130551211/jarezabisure.pdf
    • http://kilof.tzvetnielinzi.ru/uploads/2020/01/28/pumotabetitufo.pdf
    • http://wofivunugi.rybalovnyesnasti.info/uploads/2020/01/29/litolef.pdf
    • http://fef.luckypays.com/uploads/2020/01/27/3179490.pdf
    • http://divulaf.servicemyaccount.net/uploads/2020/01/28/d1eb93e83cdf07b.pdf
    • http://erinschnair.com/uploads/1/3/0/5/130543740/gibab.pdf
    • http://officialbluehangers.com/uploads/1/3/0/5/130588611/130588611.html#casais+de+doramas+com+mas+quimica

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001525.bin
4125c03cac0cf5c3fd76a72a985a69584e5766bb7531db168f4234fa516a20fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1525 10388 bytes
font_01_sfnt_off00007074.bin
5ce67c17623dc2029341776ac5eb4d704a90212bd71c75d6b083f47532dbf133		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7074 3952 bytes
font_02_sfnt_off00007b99.bin
f28c381d1bb903d9f5f37d28f65a7984e0eaf6c5d845452c4086ec6bc68e7676		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B99 16468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.