Malicious PDF — malware analysis report

Static analysis result for SHA-256 50f103ab508c969a…

MALICIOUS

PDF

39.3 KB Authoring application: LibreOffice
MD5: f25222c47599fed5589c54675fac1730 SHA-1: 435cb1529073398e536c9912bb3d8ed973bcda5f SHA-256: 50f103ab508c969a4f7bc4e0bfbd23e2a15fb5af5b0ea60c7868a28a052dac85
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to other PDF files, a technique often used for SEO poisoning or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent. The document body, though heavily obfuscated, mentions 'ACCA past papers', suggesting a lure to entice users to click the links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://viffl.com/uploads/1/3/0/4/130488338/d6118b4.pdf
    • http://webmail.cobblertechnologies.com/uploads/1/3/0/5/130539450/3628817.pdf
    • http://teambleau.com/uploads/1/3/0/5/130543511/fipogow.pdf
    • http://desertdreamxxx.com/uploads/1/3/0/8/130814118/vugunamamil-kizizu-metove.pdf
    • http://mcctorg.org/uploads/1/3/0/5/130544001/janal-tawobivijipaj.pdf
    • http://air-ambulance-transport.com/uploads/1/3/0/6/130640174/3323766.pdf
    • http://quakestudentconferences.net/uploads/1/3/0/2/130288545/siwibijoburisuk.pdf
    • http://v2leadership.com/uploads/1/3/0/2/130291649/fugureme_tawokebitolur_judubimulul_rurijutofad.pdf
    • http://monicasscarfs.com/uploads/1/3/0/5/130551714/3b8898.pdf
    • http://oamonterey.maryhigginswebdesign.com/uploads/1/3/0/6/130621370/dinewarusus.pdf
    • http://dandeliontrade.com/uploads/1/3/0/2/130272081/dutokaza.pdf
    • http://www.lucasfamilyfarmsllc.com/uploads/1/3/0/6/130640025/3588758.pdf
    • http://newmexicofashioninfo.com/uploads/1/3/0/6/130604465/wuvogozobofo.pdf
    • http://lloydhoffman.net/uploads/1/3/0/6/130621523/9335265.pdf
    • http://porcus-sanus.de/uploads/1/3/0/4/130488417/bevososasapumi.pdf
    • http://wecleanyourspace.com/uploads/1/3/0/4/130483253/9273355.pdf
    • http://www.bonnerfund.net/uploads/1/3/0/3/130313433/9621375.pdf
    • http://bet365beiyongwangzhi.br3h.com/uploads/1/3/0/7/130740048/130740048.html#acca+f2+past+papers+2015
    • http://newmexicofashioninfo.com/uploads/1/3/0/6/1

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e18.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E18 1708 bytes
font_01_sfnt_off00003956.bin
8cb71aa284f21d5732fa6b04c3fd895a9a75d3df165b50f63ddc43d6b31de345		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3956 8976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.