Malicious PDF — malware analysis report

Static analysis result for SHA-256 5bb59d382bb7b250…

MALICIOUS

PDF

39.5 KB Authoring application: LibreOffice
MD5: 2e481952e1baf4adae1c1bdb1e330936 SHA-1: 798901325142189a6509158b399dc483e27fe3a0 SHA-256: 5bb59d382bb7b250f0712f70115d58eb4673a0afe9d78b00bf95c49c356d37a1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified as a link farm. The ClamAV detection and ML classifier strongly indicate maliciousness, specifically as a phishing or traffic-generating tool. The embedded URLs are the primary indicators of this malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cadenceresource.com/uploads/1/3/0/5/130590687/najixalotu_limadetedera_dujikeba_fiduwozusade.pdf
    • http://abesoutfitters.com/uploads/1/3/0/6/130604240/8719812.pdf
    • http://eilermannfamilyvideos.com/uploads/1/3/0/2/130287299/2b55ec4.pdf
    • http://rencommunicatons.com/uploads/1/3/0/6/130604117/fozolupilimifuxuxif.pdf
    • http://bertylwisconsin184.weebly.com/uploads/1/3/0/2/130273884/fafilogax.pdf
    • https://sotozoxuvuroba.weebly.com/uploads/1/3/0/4/130491757/sulutuzired.pdf
    • http://my-pristinedental.com/uploads/1/3/0/5/130547405/de5543afa1ab4.pdf
    • http://azqualityremodeling.com/uploads/1/3/0/2/130270979/9b76ee.pdf
    • http://csobecancour-en.com/uploads/1/3/0/4/130483879/3083187.pdf
    • http://aidenaizumi.weebly.com/uploads/1/3/0/4/130476372/wikawinewafujo.pdf
    • https://gufibedexita.weebly.com/uploads/1/3/0/2/130289524/2ff2ad2.pdf
    • http://pcfuganda.org/uploads/1/3/0/5/130550914/4824423.pdf
    • http://colddiamnd.com/uploads/1/3/0/3/130323375/6565876.pdf
    • http://bitcoinserv.co.uk/uploads/1/3/0/4/130435844/reden.pdf
    • http://219garage.com/uploads/1/3/0/4/130476447/8312035.pdf
    • http://dej.k-alinka.ru/uploads/2020/01/29/waminijoxaw.pdf
    • https://zubamewiwuzapa.weebly.com/uploads/1/3/0/5/130550700/sonugenoboxo.pdf
    • http://purplesparklefoundation.org/uploads/1/3/0/5/130590312/82c67baa.pdf
    • http://corealis-ing.net/uploads/1/3/0/3/130313366/8153211.pdf
    • http://gebeb.avon-lider.com/uploads/2020/01/29/1ce56c430123.pdf
    • http://lasvegashandyman.org/uploads/1/3/0/5/130542872/a298538.pdf
    • http://brooksidepathfinder.com/uploads/1/3/0/2/130291485/130291485.html#board+resolution+format+for+change+of+director

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001636.bin
59c8cdfdb7a209116e0d8be741e70db9cf88797a2d15373495257ddd9c02ef3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1636 8536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.