Malicious PDF — malware analysis report

Static analysis result for SHA-256 2a38ae4a05d6bd4f…

MALICIOUS

PDF

43.9 KB Authoring application: OpenOffice.org
MD5: 96c33cc7a6fa56256ea2ea0349ce14e3 SHA-1: 6f77127de9667f8282517986116c8e0dd7b498dd SHA-256: 2a38ae4a05d6bd4f68387e61037862fa1705ee0146ecda279b87f51f6d7ceb06
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The primary URL identified is http://rubijepono.tandifac.tech/uploads/2020/01/29/turatik_biwasopunut.pdf.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rubijepono.tandifac.tech/uploads/2020/01/29/turatik_biwasopunut.pdf
    • http://golfoutingwizard.com/uploads/1/3/0/2/130288498/0b55d88ed2.pdf
    • http://avalonlinenrental.com/uploads/1/3/0/6/130620929/lumuluro.pdf
    • http://nstarlight.com/uploads/1/3/0/6/130621985/9672185.pdf
    • http://nod.shyamaprasad.in/uploads/2020/01/28/f7702658ea763.pdf
    • http://teko.mosinztorg.ru/uploads/2020/01/27/mosegarageto.pdf
    • http://europeanfenestrationsystems.com/uploads/1/3/0/2/130289774/menubuwonuzufepileke.pdf
    • https://ravugukewapiso.weebly.com/uploads/1/3/0/4/130435631/6821998.pdf
    • https://muvenilatu.weebly.com/uploads/1/3/0/2/130271099/da07a.pdf
    • http://lisakleinspeech.com/uploads/1/3/0/3/130313368/dupenav.pdf
    • http://clevelandtncrawlspaceencapsulations.com/uploads/1/3/0/4/130477414/lokurururudofas.pdf
    • http://repebokiri.topfloor.space/uploads/2020/01/29/8614911.pdf
    • https://rofuxili.weebly.com/uploads/1/3/0/6/130604459/790573.pdf
    • https://jobuxufuvarirex.weebly.com/uploads/1/3/0/5/130538891/miwozapavowizid_loxareletutepa_nezojore_mijimiguzamukix.pdf
    • http://ccsfurnitureanddesign.com/uploads/1/3/0/5/130551464/1344220.pdf
    • http://delunozal.conditionsnap.com/uploads/2020/01/27/fb655c2.pdf
    • http://britainunravelled.com/uploads/1/3/0/4/130435834/fenujawebu_witisulokibomo_tedovojuxesowi.pdf
    • http://madelinemariebecker.com/uploads/1/3/0/3/130323835/bowosofumum_xexukubodafu_veruzamilere_zapufupufo.pdf
    • http://reg.francescoscialo.it/uploads/2020/01/28/2250320.pdf
    • http://telelistamg.com/uploads/2020/01/27/5857294.pdf
    • http://clavesparatusalud.com/uploads/1/3/0/5/130541924/8094136.pdf
    • http://xudimotap.stroyrema.ru/uploads/2020/01/28/suvamotarasorej.pdf
    • http://tcsonline.net/uploads/1/3/0/4/130483868/130483868.html#cobra+spx+900+manual
    • http://delunoza

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000172a.bin
74a3ff92bb4a11bd8e5b6c304f231caf4dfabef2860b783e0085a94140028bba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x172A 8804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.