Malicious PDF — malware analysis report

Static analysis result for SHA-256 68ccdcd1d60a6fbc…

MALICIOUS

PDF

80.7 KB Authoring application: LibreOffice
MD5: 042c51154941a15d221c66c3fb5da067 SHA-1: 5b51d8d49e6ff747d92c8bd591f0fc1bdd6f08b1 SHA-256: 68ccdcd1d60a6fbc0421aedbaeb7b7f99c08516133c9e3e0eb70d6c099f2b6c2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic, which is indicative of a phishing or malware distribution attempt. The ML classifier and ClamAV detection further support its malicious nature. The embedded URLs are likely intended to redirect users to malicious content, such as the linked PDF files.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xadav.interbc-online.com/uploads/2020/01/28/wisisuzuvufopafatu.pdf
    • http://woodstreamga.com/uploads/1/3/0/5/130590531/bisovade.pdf
    • http://buylegalservices.com/uploads/1/3/0/6/130620841/tilit.pdf
    • http://thestickermill.com/uploads/1/3/0/6/130620536/nilufogefuvajapawak.pdf
    • http://hello-baby-toys.com/uploads/1/3/0/7/130738978/130738978.html#phylum+platyhelminthes+characteristics+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000131e.bin
024118a90e7c42eb73d28a481450eeed1405657f4dbc50c0402510e815e0aa72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x131E 10376 bytes
font_01_sfnt_off0000489a.bin
a87b70bfad638c102fd89736c990628e4efc4114a57ee79c723898eb1b1b4485		 pdf-font-stream PDF embedded font (sfnt) at offset 0x489A 17040 bytes
font_02_sfnt_off0000fd36.bin
7684207bf63796c8df8ed180ef40a416242eaa78df2a13b74930991b6812f68e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD36 4780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.