Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e2e1a869ab82d31…

MALICIOUS

PDF

42.2 KB Authoring application: LibreOffice
MD5: 651442b67399aed41011950a2f12311f SHA-1: 5e118c54729603f376042811c96d0dcd3d56fff8 SHA-256: 0e2e1a869ab82d310c2e30f793a936d194a28779f74809fe45e100945837b596
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various PDF files hosted on different domains. This suggests a tactic to manipulate search engine results or distribute malicious content through a link farm. The ML classifier and ClamAV detection further support its malicious nature, classifying it as phishing or malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mercywilder.com/uploads/1/3/0/4/130435594/1024881.pdf
    • http://assistancedogassociation.com/uploads/1/3/0/7/130776083/8a176b93526444.pdf
    • http://stagecinteriors.net/uploads/1/3/0/7/130776828/7172857.pdf
    • http://pieceofmindproject.com/uploads/1/3/0/6/130603779/f821ea98d7f.pdf
    • http://soundkitsupply.com/uploads/1/3/0/5/130550911/dufipekaruno-warezilegerolis-xasamaxisitumob.pdf
    • https://xobexebu.weebly.com/uploads/1/3/0/4/130475901/wadosukako_vevujopadesekiw_donutamup_guzenikibejiwed.pdf
    • http://naturesedge-fl.org/uploads/1/3/0/3/130379824/5370246.pdf
    • http://asavagewedding.com/uploads/1/3/0/6/130604306/173276de.pdf
    • http://guniruk.gormosritual.ru/uploads/2020/01/28/raridojasidavo.pdf
    • http://drjamesworling.org/uploads/1/3/0/6/130605254/6297320.pdf
    • https://bidivagulopox.weebly.com/uploads/1/3/0/5/130552016/773f34422.pdf
    • http://reboundat.com/uploads/1/3/0/4/130483765/130483765.html#volume+of+irregular+rectangular+prism+worksheet+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000137d.bin
ea121d2ec703428b4f37598346794ece3ec7f24e77b6eaf9dcfd3631a08dc10e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x137D 8984 bytes
font_01_sfnt_off0000699f.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x699F 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.