Malicious PDF — malware analysis report

Static analysis result for SHA-256 3153021158ce091b…

MALICIOUS

PDF

718.3 KB Authoring application: LibreOffice
MD5: 6e7dad7f39c62017bcc2c582a80ec663 SHA-1: e32a9c0980499f1592db56386b47b27ff729d85d SHA-256: 3153021158ce091b244c3a605b0337bb3afe31e67f9aa446187e9c2faf64523e
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The ClamAV heuristic 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the presence of multiple unknown-reputation URLs strongly suggest a phishing campaign. The embedded external URIs are likely intended to redirect the user to download further malicious content, such as the PDF hosted at http://vagux.leggingss.xyz/uploads/2020/01/29/dunelosonumutag.pdf.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vagux.leggingss.xyz/uploads/2020/01/29/dunelosonumutag.pdf
    • http://autosearjig.com/uploads/1/3/0/4/130436137/tefegajas_piperanotagozu_marovarojifa.pdf
    • http://lilubeauty.com/uploads/1/3/0/6/130620494/bed8c6.pdf
    • http://pawufit.mindguru.pro/uploads/2020/01/29/1352373.pdf
    • http://sigroymusic.com/uploads/1/3/0/6/130620902/9fec8fa1de87ba.pdf
    • http://sesexo.russia-hot-devki.fun/uploads/2020/01/27/kogututufif.pdf
    • https://fopalimaxat.weebly.com/uploads/1/3/0/2/130273843/dajuletibufop.pdf
    • http://xakedize.brandmentore.com/uploads/2020/01/28/089af.pdf
    • http://yorkshiremotel.com/uploads/1/3/0/6/130621036/dugesafulilov_lowesenukogod_nujegibewiwud.pdf
    • http://2000jobsllc.com/uploads/1/3/0/5/130542937/puduvoxisiniwotapir.pdf
    • http://scupstateparalegals.org/uploads/1/3/0/4/130478106/sifizuw_rirobanoduk.pdf
    • http://camphillbaseball.weebly.com/uploads/1/3/0/3/130313557/waxefotudajolar-xikuzipijivusek-womevajuz.pdf
    • https://lakagagapida.weebly.com/uploads/1/3/0/2/130291689/misosotoxul.pdf
    • http://lakeje.token-movil.com/uploads/2020/01/29/3c1a564084bf5.pdf
    • http://287ranchsupplyboutique.com/uploads/1/3/0/5/130539311/josiropuka-goxakunadigode.pdf
    • http://rentkazan.com/uploads/2020/01/27/dulapa.pdf
    • http://sauroteam.weebly.com/uploads/1/3/0/5/130589295/toropisiku.pdf
    • http://3dpormexico.org/uploads/1/3/0/2/130287799/63f315a4699.pdf
    • http://namyangitaly.com/uploads/1/3/0/5/130543156/zixivi.pdf
    • http://pokiji.gotechsolucoes.com/uploads/2020/01/27/3581532.pdf
    • http://mike4congress.com/uploads/1/3/0/4/130483474/belogekew-foxufoku-paberuvu.pdf
    • http://thesingbabysingshow.com/uploads/1/3/0/6/130639021/130639021.html#ethischer+kontraktarismus+definition
    • http://pokiji.gotechso

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002136.bin
5dcd2de8d49e64fda71076a62a509cada7932c15e23bad2b1f159b59258fa033		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2136 13092 bytes
font_01_sfnt_off00039e7a.bin
22932da3751b4c0a3d93da964911e56f3b9f86fe07e5ff81b07ab466c3660401		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39E7A 4240 bytes
font_02_sfnt_off0003ac47.bin
a640567b920b03f71efdae511b582d978f8bb00531b63196d4060146df7e2ced		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3AC47 16644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.