Malicious PDF — malware analysis report

Static analysis result for SHA-256 21eac2381654c125…

MALICIOUS

PDF

37.1 KB Authoring application: LibreOffice
MD5: 098105b3e9192716ebdedc92e7191408 SHA-1: 1614dc3eeca30e3ec80fe20f1f61feeb6b06ecf2 SHA-256: 21eac2381654c1259b34735fa33cebfca627698cdf8d86a38b4d686282936064
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious content. The heuristic 'PDF_SEO_LINK_FARM' and ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly indicate a phishing or malicious redirection attempt. The document body, though heavily obfuscated, contains URLs that are part of this link farm, suggesting the primary purpose is to drive traffic to these external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://garovenef.weebly.com/uploads/1/3/0/6/130604528/f5f56.pdf
    • http://psrglobal.net/uploads/1/3/0/5/130539235/pumubalagad-goferefijanomul-zoxot-vuvomuf.pdf
    • http://campingdishwasher.com/uploads/1/3/0/3/130313484/zuwideniva.pdf
    • http://gol.manvs.ru/uploads/2020/01/29/mekidumoniles.pdf
    • http://lynnesnydertherapy.com/uploads/1/3/0/2/130289317/6154944.pdf
    • http://gofajova.arenatap.com/uploads/2020/01/28/mitoterajino.pdf
    • http://bobo.brainit.ru/uploads/2020/01/27/3155112.pdf
    • http://gawolofore.sell-video.ru/uploads/2020/01/28/7564972.pdf
    • http://a2equine.com/uploads/1/3/0/2/130289809/masutederegi.pdf
    • https://notinudawesabiz.weebly.com/uploads/1/3/0/3/130324270/3659eb.pdf
    • http://bal.trinityemprestimos.com/uploads/2020/01/28/826760.pdf
    • http://duwudin.flashapp.online/uploads/2020/01/28/72b4a67af.pdf
    • http://wun.beru-credit.ru/uploads/2020/01/28/vemibatoriwivukumi.pdf
    • http://dutaxaso.krokus-avto.ru/uploads/2020/01/28/tosojipadigewovefife.pdf
    • https://jemeromukilede.weebly.com/uploads/1/3/0/4/130489075/xokamevokowel.pdf
    • http://cjsheavyhaul.com/uploads/1/3/0/5/130588287/130588287.html#aritmetica+de+baldor

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013c1.bin
d3d9cfbe51823fe3bfee86ff641cc5cced6dc6ef37fdf79e2ddf7d701f8b1391		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13C1 8048 bytes
font_01_sfnt_off0000551d.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x551D 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.