Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e751a9a56d56fd0…

MALICIOUS

PDF

36.1 KB Authoring application: OpenOffice Draw
MD5: 60e7996706013d6b2ec17aa2043dc481 SHA-1: 2f9f61009c6c6f5fcd2e8b48460d3dfa7cc25dd5 SHA-256: 0e751a9a56d56fd0c66849d7f09f1bf27e30f0ea83989e554cc4c935a0a51cf2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also indicate maliciousness. The embedded URLs are likely used to redirect users to malicious content or for SEO spam purposes. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://zobog.hotelimperiya.ru/uploads/2020/01/28/begavanegum_nunujejot.pdf
    • http://nosupegepo.razbaby.ru/uploads/2020/01/27/d523e3a61cf31c.pdf
    • https://xafuvoja.weebly.com/uploads/1/3/0/5/130542758/jadojemel-kefana-bobeju-jamerupoxufilu.pdf
    • http://ripo.muzonik.ru/uploads/2020/01/28/digos.pdf
    • https://nigudesamad.weebly.com/uploads/1/3/0/3/130379523/kexividilememi.pdf
    • http://mulekum.rkmw.ru/uploads/2020/01/28/4a8718.pdf
    • http://raz-ezzhaya.ru/uploads/2020/01/28/43a032bc9.pdf
    • http://liboga.itilavto.ru/uploads/2020/01/28/2917239.pdf
    • http://vot.q-rp.ru/uploads/2020/01/27/fc1438365ca89.pdf
    • http://lancevictormoore.net/uploads/1/3/0/3/130323100/130323100.html#abvp+of+full+form+name
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011b4.bin
ecfa800e0796f771a53c9d7790248af9f4fb740763e1ffebf8dcdc3e8fc33fd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B4 8112 bytes
font_01_sfnt_off00004a11.bin
de11def34ee321fdbb414bfb22ea48ecb5c05cf1341d23d434640a9feeab1302		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A11 6576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.