Malicious PDF — malware analysis report

Static analysis result for SHA-256 0089dfc6d681ee91…

MALICIOUS

PDF

44.2 KB Authoring application: OpenOffice.org
MD5: 695504ccca9a852c3fcea6fb1644c4ea SHA-1: 34784d5236381a5fd68fd41ab02293648e65dfd3 SHA-256: 0089dfc6d681ee914af051eccfdb24208aacf0f657d821f10c69785f876dfcdb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF file contains a large number of embedded URLs pointing to external PDF documents, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO spam campaign designed to drive traffic to malicious or misleading content. The ML classifier and ClamAV detection further support its malicious nature, classifying it as phishing malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://beginepava.ataxib.com/uploads/2020/01/27/3f62197e7625a.pdf
    • http://bolirowo.mir-tattoo.ru/uploads/2020/01/28/zejek.pdf
    • http://lawebared.uborka-kvartir-v-moskve.pro/uploads/2020/01/28/vuban-gamebis-ribev.pdf
    • http://limitlesspeggy.com/uploads/1/3/0/2/130270914/kujaga.pdf
    • http://salvis-pupusas.com/uploads/1/3/0/5/130589020/tusedibofuve-wopiwem-baledegiv.pdf
    • http://charastables.com/uploads/1/3/0/3/130379673/ed6d955ccb44c.pdf
    • http://gixi.cityglush6.icu/uploads/2020/01/28/xumubegusavobok-taxixe.pdf
    • http://stjeromewestchester.org/uploads/1/3/0/5/130588997/74a827dbd942bd3.pdf
    • http://vawire.japan-cosmo.ru/uploads/2020/01/29/bewudeduwatutividofa.pdf
    • http://gevelibole.okgelenk.pw/uploads/2020/01/27/3350544.pdf
    • https://pisarogaxesi.weebly.com/uploads/1/3/0/3/130323237/2703396.pdf
    • http://tiwa.atrilmedia.com/uploads/2020/01/29/sixivoniwi.pdf
    • http://newyorklifeinsuranceattorney.com/uploads/1/3/0/3/130323884/zinetidetaluseve.pdf
    • http://boxclothingco.com/uploads/1/3/0/3/130313624/jakaj.pdf
    • http://kierstenhathcock.com/uploads/1/3/0/2/130270753/e4a631d2302023.pdf
    • https://tedulidage.weebly.com/uploads/1/3/0/4/130476339/7388824.pdf
    • http://setu.funduk.me/uploads/2020/01/28/c1a004b97e.pdf
    • http://colddiamnd.com/uploads/1/3/0/6/130620460/130620460.html#eclipse+cheat+sheet+linux
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001515.bin
c02f15b351a8f2c2d36de93f6948fcd849b7f0289cc2b6dacff9e356686d2a22		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1515 8288 bytes
font_01_sfnt_off00007131.bin
8e46485b65c4c251fc8d217c8c5f722985f354f06824988eb18930027017e028		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7131 2732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.