Malicious PDF — malware analysis report

Static analysis result for SHA-256 0993ebb893a45e05…

MALICIOUS

PDF

42.0 KB Authoring application: LibreOffice
MD5: e746cea42d9333df7d6d05ebd2163309 SHA-1: df43a80efe6cec45d8eadaa703021221e1526e7f SHA-256: 0993ebb893a45e05b9a29ed12189883a23b3d1c8c55f1abd14ad1dc5551c7e0d
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of algorithmically generated URLs, indicating a link farm designed to host malicious content. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and URL patterns are consistent with techniques used to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mainstrasse.org/uploads/1/3/0/2/130272080/sevusuwodulug.pdf
    • http://zodi.wellsonlineserviceverifications.biz/uploads/2020/01/28/ruvimusulezisag.pdf
    • http://gou-spo-mit.ru/uploads/2020/01/27/lipikovala.pdf
    • http://aleonor1to1.com/uploads/1/3/0/2/130271049/setuz-koguw-kogopuni-gebubesiretesex.pdf
    • http://relst-uhag66.com/uploads/1/3/0/2/130271047/jutagetutaxuluzeg.pdf
    • http://nepservicesinc.com/uploads/1/3/0/4/130476539/zowiralepirofike.pdf
    • http://lrg.ky/uploads/1/3/0/5/130538902/7469169.pdf
    • http://kwb-vlaanderen.be/uploads/1/3/0/3/130379311/zifuwevi.pdf
    • https://gusobizojela.weebly.com/uploads/1/3/0/5/130540159/95e1dba3.pdf
    • http://soldiercreekchurchofchrist.org/uploads/1/3/0/4/130489054/a15b5640c.pdf
    • https://ranatosukuxad.weebly.com/uploads/1/3/0/4/130483748/3887329.pdf
    • https://kidibibore.weebly.com/uploads/1/3/0/4/130476601/692416.pdf
    • http://zibewozisi.kpbulgakovo.ru/uploads/2020/01/29/vuxonoga.pdf
    • http://audiostart36.icu/uploads/2020/01/27/408ba.pdf
    • http://novayeastlabs.com/uploads/1/3/0/3/130312913/rabuxanolajej_mokizajem_geluxop_weregezedom.pdf
    • http://sdtranslationcenter.com/uploads/1/3/0/4/130493389/mifeniweraz.pdf
    • http://mercadohuanacaxtle.com/uploads/1/3/0/2/130270845/130270845.html#commandos+behind+enemy+lines++64+bit
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014d1.bin
d68bf9f8ff72f4540b6c8a99f9f774e3e94eb79904cdcc8d7c3ef4c30d4aa24d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D1 8476 bytes
font_01_sfnt_off00006884.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6884 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.