Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ee131cb4a90eed5…

MALICIOUS

PDF

47.3 KB Authoring application: LibreOffice Draw
MD5: d5e186d9f2dc590ee80b5ee26c534442 SHA-1: ab3a81dd3469a69862b9f47da8a87de4115e6fbb SHA-256: 5ee131cb4a90eed52ae6e57d29c29c6ed8605b65d41f7a6aa0089ca06d940a05
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded external links, as detected by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a coordinated effort to manipulate search engine results or distribute malicious content. The ML classifier and ClamAV also flagged this file as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bottlecan.biz/uploads/1/3/0/7/130775803/lunepajujeparo.pdf
    • http://pressonclassroom.com/uploads/1/3/0/2/130272071/jekojon-polazozajel-muxipijo-xitegepelufuso.pdf
    • http://downundermigration.com/uploads/1/3/0/2/130291699/wupezigagiwego_daligonaku_zilarire_movegejunanu.pdf
    • http://travelingnurses1.com/uploads/1/3/0/5/130551794/wipuverabibos_tofupupepafix.pdf
    • http://nyctoursandattractionsgroup.com/uploads/1/3/0/4/130488829/tajoges-xunadavadij.pdf
    • http://colibot.com/uploads/1/3/0/7/130740477/kererugitakerefobon.pdf
    • http://plataformaciudadana.net/uploads/1/3/0/4/130476447/4582280.pdf
    • http://northolmstedgymnastics.com/uploads/1/3/0/4/130476859/262386.pdf
    • http://lemonadedivorce.net/uploads/1/3/0/7/130775817/nikofofepuv-waxavazuzewe.pdf
    • http://fireatheart.com/uploads/1/3/0/4/130476273/81ed2c0a17.pdf
    • http://sgpbusiness.net/uploads/1/3/0/8/130813592/1724589.pdf
    • http://avikat.com/uploads/1/3/0/4/130489830/d9222c9d66b028.pdf
    • http://supplementbottles.com/uploads/1/3/0/3/130313262/213785.pdf
    • http://rinievandriel.com/uploads/1/3/0/3/130379126/2013136.pdf
    • http://richmondandflood.com/uploads/1/3/0/6/130603802/9928011.pdf
    • http://micromulsion.com/uploads/1/3/0/3/130324386/gudama.pdf
    • http://surrealgram.com/uploads/1/3/0/2/130291996/1805096.pdf
    • http://mta160.qualitynow.net/uploads/1/3/0/5/130588989/6e7404cdb.pdf
    • http://eatonaroll.com/uploads/1/3/0/6/130621369/4e62dc4d45f88.pdf
    • http://answersoperation.com/uploads/1/3/0/5/130588425/dukudofenekosar_fudexoxeli_majuvufu_mizezudusegov.pdf
    • http://babymoontrips.com/uploads/1/3/0/2/130289797/89387c4dcaf54.pdf
    • http://nathanbohachvibes.com/uploads/1/3/0/7/130775719/nujamilubefu.pdf
    • http://dmnroundtable2020.com/uploads/1/3/0/6/130620758/4133050.pdf
    • http://fallentravelers.com/uploads/1/3/0/7/130776688/6081061.pdf
    • http://asiamarketcorp.com/uploads/1/3/0/2/130272083/mofobal-gomum-padub-guziz.pdf
    • http://ebmccallanbuildingltd.com/uploads/1/3/0/8/130874497/130874497.html#blood+cells+contains+hemoglobin+for+gas+transport

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005436.bin
bb84729956ebe73bd0fe3d7be6961af1d07d06162aba1f1f5900bb944f7e880b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5436 8056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.