Malicious PDF — malware analysis report

Static analysis result for SHA-256 54d2bd444c5a3538…

MALICIOUS

PDF

42.4 KB Authoring application: LibreOffice First seen: 2021-02-20
MD5: 7b2aa1c1de8e2b60bc6863a5e899a2e7 SHA-1: 8f6ad343e6d71dabaf709171db73633d34c3a385 SHA-256: 54d2bd444c5a3538b62a6163aa63adae6232a4138f4be37c29d04c28097f5a3b
152 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Dropper.Agent-7816952-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7816952-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rexcommunicationsllc.com/uploads/1/3/0/4/130488338/gogavixazere.pdf In PDF document text
    • http://treehousebellaire.org/uploads/1/3/0/4/130483302/a035f33e.pdfIn PDF document text
    • http://mormorsgucci.com/uploads/1/3/0/2/130271214/459196.pdfIn PDF document text
    • http://elizabethebrault.com/uploads/1/3/0/6/130604154/werakibaj.pdfIn PDF document text
    • http://nauticflclub.org/uploads/2020/01/28/ab2b12ee.pdfIn PDF document text
    • http://mgmalehair.com/uploads/1/3/0/5/130551653/2b08adbe39f24.pdfIn PDF document text
    • http://sheerajacobs.weebly.com/uploads/1/3/0/5/130588550/ada06f67cb345.pdfIn PDF document text
    • http://wonderful-tw.net/uploads/1/3/0/6/130620755/5946309.pdfIn PDF document text
    • http://americanbenefitsolutions.net/uploads/1/3/0/4/130483041/fopoxon.pdfIn PDF document text
    • http://net.mediaprojethaiti.org/uploads/2020/01/27/4509859.pdfIn PDF document text
    • http://moosewoodalaska.com/uploads/1/3/0/6/130621880/budobajuve.pdfIn PDF document text
    • http://menud.bizsphere.ru/uploads/2020/01/29/721984.pdfIn PDF document text
    • http://memberships.jacwellness.com/uploads/1/3/0/6/130640013/nasowog.pdfIn PDF document text
    • http://mikeg.skrb.pw/uploads/2020/01/27/0734a0329a.pdfIn PDF document text
    • http://agnesmusic.net/uploads/1/3/0/3/130313426/0c022b8865dc5c.pdfIn PDF document text
    • http://nokutekiv.robopay.ru/uploads/2020/01/29/josorifufufuniba.pdfIn PDF document text
    • http://nitesukogi.fotostr.ru/uploads/2020/01/27/b01bb8094bdff.pdfIn PDF document text
    • http://xid.shoplife.xyz/uploads/2020/01/28/76fdd40f6cb.pdfIn PDF document text
    • https://nerekizebefapid.weebly.com/uploads/1/3/0/5/130539108/jazigovidaduba-rebezam-rofudaw.pdfIn PDF document text
    • http://michanti.com/uploads/1/3/0/5/130551055/3000967.pdfIn PDF document text
    • http://suzole.tierheilbehandlung.com/uploads/2020/01/27/nexorivuvezimori.pdfIn PDF document text
    • http://charlesheinerfiction.com/uploads/1/3/0/3/130379424/130379424.html#amazon+music++f%C3%BCr+pcIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015c6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x15C6 8260 bytes
SHA-256: bf7b56ca4a9461bcf89136e9b353eb38db1952b312c80940118791d81df938f5
font_01_sfnt_off00005542.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x5542 19232 bytes
SHA-256: 7ad98dd20adf892ae61d5b54b5c459ebd8f973f52feceffa74ad3d8602398d5f