Malicious PDF — malware analysis report

Static analysis result for SHA-256 fda9d8af6335fbc6…

MALICIOUS

PDF

53.0 KB Authoring application: OpenOffice.org
MD5: 9190c8d1de80470ac722445f68e305f6 SHA-1: f4bd3c59141f639116d1baeafa986d903a847f43 SHA-256: fda9d8af6335fbc68b52eb26e2e364e423130b714d20bfe5c127231a65cb51a9
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents, a technique commonly used for phishing or distributing further malware. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, pointing to domains like cataniainunclick.com. The ClamAV detection further supports the malicious classification. No scripts were extracted, and the document body content is heavily obfuscated and unreadable.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cataniainunclick.com/uploads/1/3/0/6/130640029/sidafarob_mapexemozunipa_zomige_guxanezawesulor.pdf
    • http://successwithwilson.com/uploads/1/3/0/7/130738679/4335583.pdf
    • http://kelsweet.com/uploads/1/3/0/3/130313582/8558677.pdf
    • http://steephollowvet.com/uploads/1/3/0/6/130620603/1783763.pdf
    • http://tkrealtysolutionssa.com/uploads/1/3/0/7/130775763/fonezumujonuror.pdf
    • http://museofyourownmaking.com/uploads/1/3/0/7/130776695/rivudasarivafo_fubazuzaxeki.pdf
    • http://ackertech.org/uploads/1/3/0/6/130604947/wavuvileju-xunewuzufo-xofanidakavejo.pdf
    • http://aim-mississauga.org/uploads/1/3/0/6/130604877/d92ab6f11.pdf
    • http://enduralyst.com/uploads/1/3/0/6/130639034/111079.pdf
    • http://wallepikkers.nl/uploads/1/3/0/6/130620587/d0fd0955.pdf
    • http://mx.parchmentvalley.org/uploads/1/3/0/7/130738738/95fe5cc616.pdf
    • http://pvjv.com/uploads/1/3/0/6/130620670/1104190.pdf
    • http://idonutcare.net/uploads/1/3/0/2/130272242/fakoluzexim_fanazigenogi_jewetilagog.pdf
    • http://caddrafting.rediproject.com/uploads/1/3/0/4/130491488/1097456.pdf
    • http://nicholascomm.com/uploads/1/3/0/6/130603737/nuteragawoxowago.pdf
    • http://sabpermaculturegroup.com/uploads/1/3/0/6/130604153/newoluroguninozuxipi.pdf
    • http://uxd66r.bdgct.com/uploads/1/3/0/9/130969916/130969916.html#jawahar+navodaya+vidyalaya+class+6+admission+form+2020

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004f5c.bin
a5cf15f5d99b002bd4f573dad87f54f0bff507c5cf7b63b3129f277766cd2e6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F5C 12536 bytes
font_01_sfnt_off00007304.bin
a548ac6dcd878eb85060c2207ff706f78ef020d1099b29d3324f2fd9afca7f06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7304 8400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.