Malicious PDF — malware analysis report

Static analysis result for SHA-256 26c1d664a01fa15d…

MALICIOUS

PDF

88.1 KB Authoring application: LibreOffice
MD5: 9972d51afd405a4ca93ed20089e5807a SHA-1: e27021398b7af3fe4d6782de11a305c518b0363e SHA-256: 26c1d664a01fa15d27ddf6d941378823352d669385926487d6c2e12b164533a1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple heuristics, including a critical finding for a link farm and ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body contains numerous URLs, indicating a phishing or redirection attempt. The presence of a link farm suggests an effort to distribute malicious content or phish users across multiple domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tetewoxapot.weebly.com/uploads/1/3/0/5/130547812/a21d4a4c1ecb164.pdf
    • http://keykidoll.com/uploads/1/3/0/5/130552097/buzemuluzewuk.pdf
    • http://pedobilobi.hayatimbirfilm.com/uploads/2020/01/28/8062564.pdf
    • https://mipavipi.weebly.com/uploads/1/3/0/2/130272417/6616842.pdf
    • http://funuwupi.prosamoe.ru/uploads/2020/01/27/7320783.pdf
    • http://qrkturntables.com/uploads/2020/01/29/juletisopar.pdf
    • http://andymech.net/uploads/1/3/0/2/130273798/vomajubuguzetadosuju.pdf
    • http://greenwolfverticalfarm.com/uploads/1/3/0/3/130313400/130313400.html#1956+cessna+182+poh+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001189.bin
6d10b21499fe981a2757c17ad3e20adf335d97b4392534e95fa22bc556696e5c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1189 8668 bytes
font_01_sfnt_off00010f0d.bin
11d610e9c2a389ae08f3bb43fca353317fa4d38f8cf93cceddfd83206a3772c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F0D 18344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.