Malicious PDF — malware analysis report

Static analysis result for SHA-256 55ae269a4ec7b45f…

MALICIOUS

PDF

52.1 KB Authoring application: LibreOffice First seen: 2021-02-19
MD5: 4859977f7c4c717d8463bd5ba2a63adc SHA-1: 9f830ff0466e544eb21e0bf02cc9653f644a6c60 SHA-256: 55ae269a4ec7b45f216d88466b1c9f15079c0d05a9b7ceb161c69a8ce814431b
212 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 5

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Document signing service impersonation lure medium SE_DOCUSIGN_LURE
    Document impersonates DocuSign, Adobe Sign, or a similar signing service in a signing-request context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://motorheadtv.com/uploads/1/3/0/6/130621214/1acf871c1.pdf In PDF document text
    • http://latinasazon.com/uploads/1/3/0/5/130539987/nisiponitiwere.pdfIn PDF document text
    • http://inourworld.net/uploads/1/3/0/3/130379415/11d363e820b3.pdfIn PDF document text
    • http://taxauctiontitle.com/uploads/1/3/0/6/130604232/817dd5babaa9bbb.pdfIn PDF document text
    • http://weveg.com/uploads/1/3/0/7/130775712/sujejus_topubazekisatag_zepevutuso.pdfIn PDF document text
    • http://mshvita.com/uploads/1/3/0/5/130542964/tonurefevikadus-tagugedepiva-rosalo.pdfIn PDF document text
    • http://budapestfoodandtravel.com/uploads/1/3/0/8/130814584/bonedudubevexax_kuwoz.pdfIn PDF document text
    • http://psychotherapyportland.net/uploads/1/3/0/7/130776219/3999938.pdfIn PDF document text
    • http://aikotanaka.com/uploads/1/3/0/4/130483271/f0a3b07b.pdfIn PDF document text
    • http://smokyhillcheer.com/uploads/1/3/0/5/130551864/2840637.pdfIn PDF document text
    • http://youarebow.com/uploads/1/3/0/4/130478106/7296147.pdfIn PDF document text
    • http://youwishmanifestation.com/uploads/1/3/0/7/130776312/4843736.pdfIn PDF document text
    • http://biglifecc.com/uploads/1/3/0/4/130436093/4768918.pdfIn PDF document text
    • http://www.sacraflora.com/uploads/1/3/0/2/130271090/jegusapa.pdfIn PDF document text
    • http://lesvioliles.cat/uploads/1/3/0/7/130739385/sevifelesezo_mawukodofibir_tixipuwax_vuniretir.pdfIn PDF document text
    • http://myeclecticyoga.com/uploads/1/3/0/5/130539871/9617ef353627.pdfIn PDF document text
    • http://www.thefuntasticfoodjourney.com/uploads/1/3/0/7/130740232/xibul.pdfIn PDF document text
    • http://www.hairnl.com/uploads/1/3/0/6/130603731/kudereferadem-dukexonelexonit-lubofakakojeli.pdfIn PDF document text
    • http://longplumbers.com/uploads/1/3/0/6/130639178/dewug_wufeximeva_kogeduwokinoba.pdfIn PDF document text
    • http://seattlebreastfeedinghikes.com/uploads/1/3/0/4/130478882/dafokepegot_jodejuvalub.pdfIn PDF document text
    • http://itavuvu.com/uploads/1/3/0/8/130814411/vevowedovusosuroti.pdfIn PDF document text
    • http://www.supermombc.com/uploads/1/3/0/6/130621515/9888026.pdfIn PDF document text
    • http://www.stevemorrisontuition.com/uploads/1/3/0/3/130323250/konawo.pdfIn PDF document text
    • http://cookacousticalconsultants.com/uploads/1/3/0/2/130287502/896264.pdfIn PDF document text
    • http://plantifulfoods.org/uploads/1/3/0/7/130776478/130776478.html#adobe+reader+dc+pro+download+freeIn PDF document text
    • http://www.adobe.com/).NotoIn PDF document text
    • http://www.google.com/get/noto/http://www.adobe.com/type/ThisIn PDF document text
    • http://scripts.sil.org/OFLNotoIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000038b9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x38B9 6544 bytes
SHA-256: fd22af53f2844f775e2788e663f76d51cbd1f673c8a6c692d2e507cbfd993ddd
font_01_sfnt_off00004d3e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x4D3E 16488 bytes
SHA-256: d8fa1d180e0a505d0c2b16a5f695b88c8b58e4db502161fc5572c07a7daa196e
font_02_sfnt_off000066c9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x66C9 9068 bytes
SHA-256: b4c39f99a1cf21592762143845c633c92b5136514302b57fb06570516626c5c0