Malicious PDF — malware analysis report

Static analysis result for SHA-256 104b7e022f0d8069…

MALICIOUS

PDF

49.1 KB Authoring application: LibreOffice
MD5: 9951f7e9801fc197a5fe4ce98c7b64d6 SHA-1: 178828a774e9675099bc925ca1f715682ce08443 SHA-256: 104b7e022f0d806959e5eaaf60598c846a64452ac34a2a5351dc6d254c106a47
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded external links to other PDF files hosted on various domains. This technique is often used for SEO manipulation or to distribute further malicious content, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier further support its malicious nature. While no scripts were explicitly extracted, the nature of the embedded links suggests a potential for JavaScript execution or other exploits within the PDF structure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fofefevuzu.rucoolcash.xyz/uploads/2020/01/28/xukobejekikiguwij.pdf
    • http://casarefugiopa.org/uploads/1/3/0/6/130621313/kuvofotoxurusufaj.pdf
    • http://northolmstedgymnastics.com/uploads/1/3/0/7/130776025/596679.pdf
    • http://dcchosa.com/uploads/1/3/0/3/130313153/d20bb4a6fe0350e.pdf
    • http://symschall.store/uploads/1/3/0/6/130604238/kavuxateri.pdf
    • http://mooreinnovation.org/uploads/1/3/0/7/130775640/83a8606a.pdf
    • http://comehereonce.com/uploads/1/3/0/4/130478360/1889498.pdf
    • http://theduffies.com/uploads/1/3/0/3/130313186/zuriburi-dadewa.pdf
    • http://safecitysecurity.com/uploads/1/3/0/5/130550888/14f7df4ddd1aa.pdf
    • https://tidovizale.weebly.com/uploads/1/3/0/5/130588418/bogesixuwube-jitafaka.pdf
    • http://mickkok.com/uploads/1/3/0/5/130589228/kuzizirilugonire.pdf
    • http://arlingtoncarpetcleaner.com/uploads/1/3/0/6/130640191/130640191.html#ammonia+refrigeration+system+cycle
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001391.bin
fdba419b2cada7292ee1f94ed9cabbc16f689bf631f646747b5c807b46d1f1bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1391 10232 bytes
font_01_sfnt_off00008397.bin
4e9ae17c41f053e7ad2cff4c16f4465db96732130fdde230725ded2fe80853ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8397 3156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.