Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb4821e963eb90ef…

MALICIOUS

PDF

34.2 KB Authoring application: LibreOffice
MD5: 589bc23cfb7e2b1adb77259bbb6965e1 SHA-1: 9267d4b39f5bc5c1713f3f8c2e1b9251b642fb6a SHA-256: fb4821e963eb90efdda659ffe528e071f6289b8d16a03bc7094a26104b889e07
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ClamAV with the signature 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a significant number of embedded external links, indicative of a link farm designed to redirect users to potentially malicious content. The document body contains a mix of seemingly legitimate text and obfuscated characters, further supporting a phishing or malware distribution intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mmeconnect.com/uploads/1/3/0/5/130588288/451ad.pdf
    • http://alexisborth.com/uploads/1/3/0/6/130621141/xagejuket_bedim_todulogi_bovutaz.pdf
    • http://watersportsinkorea.com/uploads/1/3/0/6/130603825/paxugima.pdf
    • http://iteropartnerlaboratory.com/uploads/1/3/0/4/130491599/3697404.pdf
    • http://grabembythetwitter.com/uploads/1/3/0/5/130544131/9934561.pdf
    • http://stlopenwater.com/uploads/1/3/0/7/130739068/a09e5eacd04.pdf
    • http://plandesignco.com/uploads/1/3/0/7/130776486/cb590b399a68445.pdf
    • http://jackrthompson.net/uploads/1/3/0/6/130604744/xefaxo.pdf
    • http://adamgoodbet.com/uploads/1/3/0/3/130323900/001f94ffa717f8f.pdf
    • http://littledarlingscookieco.com/uploads/1/3/0/7/130738607/semiwubetegudi_foxob.pdf
    • http://davidbergmann.com/uploads/1/3/0/5/130545087/lexaruzoso.pdf
    • http://antaresservices.org/uploads/1/3/0/6/130620880/pakazutazo.pdf
    • http://awpcmarianna.com/uploads/1/3/0/7/130775918/5860936.pdf
    • http://smbrandmgt.com/uploads/1/3/0/2/130272504/130272504.html#airtel+online+recharge+in+ap

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c9e.bin
d57693b2c295e71ce2c01c4d404fb1ff8d80a2869583cbcb5189dbd1aa35f1ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C9E 8012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.