Malicious PDF — malware analysis report

Static analysis result for SHA-256 1227c9bc85a2f4de…

MALICIOUS

PDF

54.4 KB Authoring application: LibreOffice
MD5: 616376e48c1875b2696c9498d3b6cef2 SHA-1: 49edb7fa0998d03b41226ae3c8ea17341b2667a5 SHA-256: 1227c9bc85a2f4de917d8c91a85595ce55491940c3ebb9646058a08739c3f13c
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, identified as a link farm, which is a common technique for distributing malicious content or leading users to phishing sites. The ClamAV detection and ML classifier further support its malicious nature. No scripts were extracted, but the primary attack pattern involves redirecting users through numerous URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bemexobi.slepttava.xyz/uploads/2020/01/28/668b6fd.pdf
    • http://shopcenter17.fun/uploads/2020/01/29/86c4a7c.pdf
    • http://xp-streich.com/uploads/1/3/0/5/130542953/dasadesekape-turadamo.pdf
    • http://robynbredvick.weebly.com/uploads/1/3/0/2/130289201/2646491.pdf
    • http://ymsdreamcatchers.weebly.com/uploads/1/3/0/3/130379216/2741196.pdf
    • http://fexanaja.totachi-fs.com/uploads/2020/01/28/5300253.pdf
    • http://msert.net/uploads/1/3/0/6/130620354/wubivaje.pdf
    • http://playtherapyonlinetrainingacademy.com/uploads/1/3/0/4/130476974/xexafoxe.pdf
    • http://agilemy.life/uploads/1/3/0/6/130639398/vifaxo.pdf
    • http://wedopoge.btccn.pw/uploads/2020/01/29/puwidogekebobipa.pdf
    • http://nicoleedwardslimited.org/uploads/1/3/0/5/130550873/0be204d993a1.pdf
    • http://nuj.grushart.ru/uploads/2020/01/29/db8ccda1.pdf
    • http://zemedimala.ibuyersclub.com/uploads/2020/01/29/2332818.pdf
    • http://scoutx.us/uploads/1/3/0/4/130435726/38a8444714fc.pdf
    • http://mgtowtv.com/uploads/1/3/0/6/130605519/dadimela.pdf
    • http://misssoutheastpageantry.us/uploads/1/3/0/6/130639656/130639656.html#expenses+tracker+google+sheets
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001435.bin
1b0750cecb3cf67ef35cb385d94b04c2381adda02b5f58c3db58f862fb001d0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1435 9116 bytes
font_01_sfnt_off00008895.bin
bdf78840ded9182e3b973e0079560a771e2d760334bb1b824e7cc23347121867		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8895 5544 bytes
font_02_sfnt_off000099cc.bin
2563807223d686b98c00555c583c39a0d8e0d5539b1537586a5d9d14e57bf7bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99CC 2696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.