Malicious PDF — malware analysis report

Static analysis result for SHA-256 34cde58afc0449c6…

MALICIOUS

PDF

37.0 KB Authoring application: LibreOffice Draw
MD5: 29010c7383edc29eb56c061f2c4248ab SHA-1: e2f02622c1d4b191f90604e42b37c01e11ae0912 SHA-256: 34cde58afc0449c654f3d57444dba656b26b697b0ad02b0a7a6fcadc977da450
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded URLs, forming a link farm designed to direct users to download other PDF files. The document body text, while partially corrupted, mentions 'Parikrama magazine marathi pdf' and provides download links, suggesting a lure to trick users into downloading potentially malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malware distribution intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://dusitofovosu.weebly.com/uploads/1/3/0/5/130551324/kakosenaxe_liwaribe_tirogiwapo.pdf
    • http://gabrielelaw.com/uploads/1/3/0/6/130640010/935203.pdf
    • http://oslorelocation.org/uploads/1/3/0/6/130605040/f302180d.pdf
    • http://mustlikeplants.com/uploads/1/3/0/4/130436188/xasujarovulobina.pdf
    • http://letylety.host/uploads/1/3/0/4/130488152/pokimotivetegoziviwe.pdf
    • http://comicatedlife.com/uploads/1/3/0/4/130435573/ae92d.pdf
    • http://naughtonsandblastinggalway.com/uploads/1/3/0/2/130289675/3167910.pdf
    • http://mobilityeco.it/uploads/1/3/0/4/130436182/lewekezowobis_sixatapaz_tazetatonuwo_mogib.pdf
    • http://michaudwellness.com/uploads/1/3/0/5/130590777/130590777.html#parikrama+magazine+marathi+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000119a.bin
e0c17df4a1031994b93d2a0d2b6012c5b98ef6f981993c52711e6418f627a06a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x119A 7680 bytes
font_01_sfnt_off0000415c.bin
606c72864cf408c4e9dc0297490c1a0e62caa5d98899e67d9e574891b3cd036b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x415C 7656 bytes
font_02_sfnt_off0000549c.bin
a1600c79331cba21b3b4a1f056a9d989f02b1280d9db796053b5096bff0b23f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x549C 2000 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.