Malicious PDF — malware analysis report

Static analysis result for SHA-256 0db3a1864b6d3b11…

MALICIOUS

PDF

73.8 KB Authoring application: LibreOffice
MD5: 25277f8aa94040159c66e237a5a169a0 SHA-1: b11c240d1d021c6d9cac4f99b9759f50bb3c858f SHA-256: 0db3a1864b6d3b1181b6d5424fcecc253d0a0be282eb1a9da09707cda9a6c815
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moldremovaltarzana.org/uploads/1/3/0/6/130604716/8027094.pdf
    • https://guwogifofifen.weebly.com/uploads/1/3/0/3/130323836/afe844a6.pdf
    • http://legacytransportation-freightbrokerage.com/uploads/1/3/0/2/130288307/rubixe.pdf
    • http://dotekob.vidracariaartvidros.site/uploads/2020/01/27/7574651.pdf
    • http://bpinformatica.com/uploads/2020/01/27/998b5fcad024a8.pdf
    • http://newhomeswithashley.com/uploads/1/3/0/5/130590122/9b62b04.pdf
    • http://nomoremondays.us/uploads/1/3/0/5/130590478/a1a98f73f717.pdf
    • http://vab.help-vk.ru/uploads/2020/01/28/40c3195171a.pdf
    • https://wosaxiwod.weebly.com/uploads/1/3/0/2/130272083/84e7f362fc.pdf
    • http://nyingma-summer-seminar.com/uploads/1/3/0/6/130622089/3045092.pdf
    • http://peterandmichele.com/uploads/1/3/0/4/130478057/7687554.pdf
    • https://gisidigefuro.weebly.com/uploads/1/3/0/5/130551339/3479709.pdf
    • http://michelleveixmccartan.com/uploads/1/3/0/5/130588939/xoviwilopezagero.pdf
    • https://zujepibak.weebly.com/uploads/1/3/0/5/130543020/d95fd63cf.pdf
    • http://bestcraneschool.com/uploads/1/3/0/3/130313624/ragaxuxaluweso_medovedivi.pdf
    • http://carpetcleancary.com/uploads/1/3/0/2/130289211/130289211.html#nice+guidelines+hypertension+in+pregnancy+2016+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014e9.bin
5cee3167380b3a331b7b065fbb21a2d66e3e1babffd109eb2a15f7b1aafd6c9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14E9 8348 bytes
font_01_sfnt_off0000d334.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD334 2600 bytes
font_02_sfnt_off0000dbc2.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDBC2 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.