Malicious PDF — malware analysis report

Static analysis result for SHA-256 40f578689e14abd7…

MALICIOUS

PDF

47.7 KB Authoring application: LibreOffice
MD5: b10faa81ed8c878bec4bebe5add80666 SHA-1: aebc625eb8eedd489a39718c6ca44f9f5cc81a71 SHA-256: 40f578689e14abd77970c69010afc39b6edd45de6440ce8fc7f1f0a469447e26
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a phishing or malware distribution attempt. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports this. The primary malicious URLs are hosted on `jar.deevki.icu` and `designsbycarolann.com`, likely serving as lures for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jar.deevki.icu/uploads/2020/01/28/6410945.pdf
    • http://designsbycarolann.com/uploads/1/3/0/5/130590577/712c65176b.pdf
    • http://jy-la.org/uploads/1/3/0/6/130604446/vagufa.pdf
    • http://eurekarally.com.au/uploads/1/3/0/6/130639342/zijamozota.pdf
    • http://peacesupportfund.org/uploads/1/3/0/2/130287495/310de308d9f853.pdf
    • http://sarasotaenergysaver.com/uploads/1/3/0/4/130490421/taruzofukogo-sekepi-dulowadunu.pdf
    • https://zigelawuwexak.weebly.com/uploads/1/3/0/4/130436234/5e489b.pdf
    • http://binuwapa.sakninhna.com/uploads/2020/01/27/3869717.pdf
    • http://miembros-soylacasa.com/uploads/1/3/0/6/130603954/5594423.pdf
    • http://backcountry.blondinenterprises.com/uploads/1/3/0/6/130621532/tisofuriwonezesedop.pdf
    • http://authentictauheed.info/uploads/1/3/0/6/130620778/197545.pdf
    • https://putinafuda.weebly.com/uploads/1/3/0/4/130436197/bunemapijubakutapar.pdf
    • https://kiwoxugaxis.weebly.com/uploads/1/3/0/2/130272979/8268452.pdf
    • http://bipa.massrage.ru/uploads/2020/01/27/sowabemezuzope.pdf
    • http://shapenv.com/uploads/1/3/0/4/130476740/8440687.pdf
    • http://divupimeve.interio-mosaic.ru/uploads/2020/01/29/4994138.pdf
    • http://wiwomenvote.org/uploads/1/3/0/5/130539338/wetejumaka.pdf
    • http://ibuyersclub.com/uploads/2020/01/27/4c58aa5d.pdf
    • http://cpsplantscapes.com/uploads/1/3/0/4/130478259/722992.pdf
    • http://allamericandogexpo.com/uploads/1/3/0/4/130483653/130483653.html#financial+reporting+act+2004

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010a3.bin
3d5335e58276c6d90758f7b1646bd6c37459dd4ea539c431fb76abfed1a3dfb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A3 7944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.