Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc4502358c18a0fd…

MALICIOUS

PDF

45.0 KB Authoring application: LibreOffice
MD5: 8c40ca8c4d02657807602026c8c1ca71 SHA-1: fd7ef6588981fc636d0b40db81960f6e69fc86f1 SHA-256: fc4502358c18a0fd817509f2d853de236859fe30d5a79ce5759a3089f0d74ae0
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file exhibits characteristics of a link farm, containing numerous external links to other PDF documents hosted on various domains. This technique is often used to manipulate search engine results or to distribute malicious content like phishing lures. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and malicious intent.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://newbethellg.com/uploads/1/3/0/7/130775936/e344322ae0f.pdf
    • http://callaneventplanner.com/uploads/1/3/0/5/130589276/dc129818475ae2.pdf
    • http://www.pslholdings.com/uploads/1/3/0/8/130813548/c2cf09c6d.pdf
    • http://thisweeksbestdeals.com/uploads/1/3/0/5/130543985/aa36b39477d9.pdf
    • http://mychicagorides.com/uploads/1/3/0/2/130289336/gimuwuter_gevatesatuve_wevewo_fefuxado.pdf
    • http://bethegamechanger.org/uploads/1/3/0/7/130738681/3219952.pdf
    • http://deyoodesign.com/uploads/1/3/0/6/130620429/7c906c1caff3362.pdf
    • http://www.plethoraofpigs.ca/uploads/1/3/0/3/130323422/7b71dad04648.pdf
    • http://musiowskyed.com/uploads/1/3/0/3/130313090/164b369c35e835.pdf
    • http://as13.com/uploads/1/3/0/5/130545011/xalonuvugix.pdf
    • http://misscarladance.org/uploads/1/3/0/7/130776254/sovulotomalonijojosi.pdf
    • http://stephappy.net/uploads/1/3/0/6/130640178/558be415a2b.pdf
    • http://modelamics.com/uploads/1/3/0/7/130739873/779b74c0a6107d2.pdf
    • http://marinbasic.com/uploads/1/3/0/7/130774965/7082908.pdf
    • http://hostmaster.giar.ch/uploads/1/3/0/2/130272071/130272071.html#write+chemical+equation+for+acetic+acid+reacts+with+calcium+hydroxide

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003bde.bin
fc78370cfda3dff8d703bd96b00418a91af6db7a831a448baa24124c99fcf727		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BDE 16152 bytes
font_01_sfnt_off00005403.bin
e0f85dd5489087cb77fefd6bcc239b2e9b242938fec845cf71268ecd877cf2ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5403 8676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.