Malicious PDF — malware analysis report

Static analysis result for SHA-256 30229c577fc1ba57…

MALICIOUS

PDF

42.8 KB Authoring application: OpenOffice.org
MD5: f0c3338770c96c74c4b8c5e22b1089e5 SHA-1: 2d30ef62845cd63b755a1685cee6dacfe978d80f SHA-256: 30229c577fc1ba572b60ab31281ad5081024eab08bb7948ced41b6c9a2bf7ca7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to other PDF files, a technique commonly used for SEO poisoning and phishing. The document body, while appearing to be a manual, is likely a lure to encourage users to click on these malicious links. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and malicious redirection intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://djspizza1.com/uploads/1/3/0/6/130622075/6939799.pdf
    • http://wifaviju.spec-foto.ru/uploads/2020/01/28/7cae1eaab7c9a53.pdf
    • http://springbrookaerospace.com/uploads/1/3/0/2/130288603/2532122.pdf
    • http://jonor.gsustudymatch.com/uploads/2020/01/28/pitulim-xitunixuw-fagelanirifipoj-losamexid.pdf
    • http://porschasdivinediamonds.com/uploads/1/3/0/4/130476347/586875.pdf
    • http://bradleypwright.com/uploads/1/3/0/5/130551137/9828929.pdf
    • http://battlebuilding.com/uploads/1/3/0/5/130550803/2237312.pdf
    • http://twinatron.com/uploads/1/3/0/2/130287299/fokaxagireno-ninege-lasemoj-belokeg.pdf
    • http://bobslocker.com/uploads/1/3/0/2/130273790/nakiruk.pdf
    • http://nelsonendeavorsllc.com/uploads/1/3/0/3/130323319/26fb4b939a.pdf
    • http://daciajones.com/uploads/1/3/0/6/130604885/8baf1c069.pdf
    • http://adc-horses.com/uploads/1/3/0/4/130476503/bebefadeloledav.pdf
    • http://mrstodd.net/uploads/1/3/0/4/130476513/nusetubudobedi.pdf
    • http://joinstreamnow.com/uploads/1/3/0/5/130544781/rosogaj-wotuluxemupa-delakesavisur-jofovija.pdf
    • http://mrgospelmusic.com/uploads/1/3/0/3/130313555/vijujeta.pdf
    • http://morenoguerrero.com/uploads/1/3/0/6/130621754/8a3144c5.pdf
    • http://3albab.net/uploads/1/3/0/6/130620365/laligowumub_gipomexekison_bikopubivulaf_novokavulinubo.pdf
    • http://andyharrisasblacksheep.com/uploads/1/3/0/6/130620512/ladofefumi-lugelu.pdf
    • http://feda.oklkab.ru/uploads/2020/01/28/7320630.pdf
    • http://bradleypwright.com/uploads/1/3/0/3/130324005/lirevesudar-nugarazokudovij-nupamisuwozopin-kabewukowujel.pdf
    • http://bombayfrankiecompany.com/uploads/1/3/0/6/130621695/8239588.pdf
    • http://carpetcleancary.com/uploads/1/3/0/6/130621137/130621137.html#honda+50+dirt+bike+manual
    • http://static.68.124.217.95.clients.your-server.de/uploads/2020/01/28/zoxavepiledi-jomovuk-sikoxipimetul.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016f4.bin
d7953d276d154c0782ed52d351d54cd68a4d300d7c0e3c328c891492882db216		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F4 7656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.