Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ebd11de0252927a…

MALICIOUS

PDF

46.0 KB Authoring application: LibreOffice Draw
MD5: 36b67435d4f4eba5eacc62a3a5635183 SHA-1: 41f0021e0cb5385098957d68be28cd25ad529d10 SHA-256: 0ebd11de0252927a56f3f5ab1d5b31bb39115744d097af091fdfc620923e630f
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links, many of which point to other PDF files hosted on various domains. This behavior is indicative of a link farm or SEO poisoning technique, likely designed to either distribute further malicious content or manipulate search results. The ClamAV detection and ML classifier strongly suggest malicious intent, and the presence of embedded URLs supports the phishing and link farm heuristics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jatawotovo.weebly.com/uploads/1/3/0/5/130588461/sereba_dabemined_xofatuwi_xerojisumoj.pdf
    • https://malolibefol.weebly.com/uploads/1/3/0/4/130489248/zoditel.pdf
    • http://bienvenufosterryanobannonlawllc.com/uploads/1/3/0/2/130291539/8011701.pdf
    • http://sidesadon.itechieguru.com/uploads/2020/01/28/pizixu.pdf
    • http://adogenixptyltd.net/uploads/1/3/0/5/130545429/4107330.pdf
    • http://yologirlstucson.com/uploads/1/3/0/3/130313553/9771742.pdf
    • http://fixazixanu.audiostart29.icu/uploads/2020/01/28/5768789.pdf
    • http://keepkickincloggersmacon.com/uploads/1/3/0/5/130540134/2945d66e21833.pdf
    • http://mrswoodworth.com/uploads/1/3/0/4/130490808/7961059.pdf
    • http://ankezimmermann.ca/uploads/1/3/0/6/130621429/130621429.html#bible+bowl+questions+answers+exodus
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off000062c7.bin
a954f0f4707a7043b63eef75d3c5c66fcd48cda01c81cda12f37a0f4a74e8a31		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x62C7 16732 bytes
font_00_sfnt_off0000126a.bin
ede8e18a45a39ef29c43b0c2b28b77c636472f376ed668add724171bba358986		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126A 8436 bytes
font_02_sfnt_off00007998.bin
a2f0e64d6975656d959a0794b9a965349b6a87240c16eb122ddb64596f86590d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7998 1704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.