Malicious PDF — malware analysis report

Static analysis result for SHA-256 32a8582369320ce3…

MALICIOUS

PDF

34.4 KB Authoring application: LibreOffice
MD5: 54b8fe03db6c2fd544934863fd969ada SHA-1: 33a6f621ec82b88f6f834ca1d0f7dcc99b552732 SHA-256: 32a8582369320ce39e8fa057d6f692c6f910418fc3012f014bd3ea6391feb9a8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection of Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious classification. The primary intent appears to be directing users to a vast collection of external PDF files, with the dominant host being livup.zayms.icu. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://livup.zayms.icu/uploads/2020/01/28/lujugawib.pdf
    • http://fabokajenu.tkantares.ru/uploads/2020/01/28/da5305b89b6b67.pdf
    • https://wuzosijufereri.weebly.com/uploads/1/3/0/6/130604702/4295355.pdf
    • http://validaingresso.com/uploads/2020/01/28/9aa85348a9.pdf
    • http://nashvilledrones.com/uploads/1/3/0/3/130323518/teveduzebawe.pdf
    • http://graphicsadp.com/uploads/1/3/0/6/130620348/fojojeporupiw.pdf
    • http://milieugeospatial.com/uploads/1/3/0/6/130604269/01dc9547dc324b.pdf
    • http://berkshireartsacademy.com/uploads/1/3/0/5/130588698/2519773.pdf
    • https://bugerugevufugu.weebly.com/uploads/1/3/0/3/130313103/xelolememuji.pdf
    • http://sharikiufa.ru/uploads/2020/01/28/lisitubewodat_kezabidabixofeg.pdf
    • http://herrmansexcavating.com/uploads/1/3/0/6/130639443/revatajonodojaram.pdf
    • https://xepoxasekelode.weebly.com/uploads/1/3/0/3/130323466/revevixikosafomimiw.pdf
    • http://tofelokiso.soyana.ru/uploads/2020/01/27/kufubudedararir.pdf
    • http://prostotak.info/uploads/2020/01/27/32dbe145.pdf
    • http://toxabape.info-okna.ru/uploads/2020/01/28/bebodusojajijenujisu.pdf
    • http://muxuza.aroma-piter.ru/uploads/2020/01/27/malozoxopuv.pdf
    • http://numaluvuf.familiarizarse.info/uploads/2020/01/28/pivigegi.pdf
    • http://nujolaku.original-brand.pro/uploads/2020/01/28/3560574bc.pdf
    • https://nedozaviluxa.weebly.com/uploads/1/3/0/4/130476791/bb69cf.pdf
    • http://nioba.me/uploads/2020/01/29/7775808.pdf
    • http://rikikefigi.remont-apple1.icu/uploads/2020/01/28/1947987.pdf
    • http://hoodoohemp.com/uploads/1/3/0/6/130621457/130621457.html#hypertension+guidelines+ppt+2017
    • https://nedozaviluxa.weebly.com/uploads/1/3/0/4/130476791

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015c1.bin
bed9207c992ce1e6458a0d74e86133b141fff1a24232e61ff7a2218cc1432529		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15C1 7480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.