Malicious PDF — malware analysis report

Static analysis result for SHA-256 6967d7e19be3d7a8…

MALICIOUS

PDF

62.9 KB Authoring application: LibreOffice Draw
MD5: 4845608830f914bd2cb3655ee565fef5 SHA-1: a9061ed87e5746780dbe836cc90abee54d148e28 SHA-256: 6967d7e19be3d7a88cc9aad7b4ae75687cbf8dc28476cc8b0aa2cf1fa4d36260
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The primary finding is a large number of embedded external links to other PDF files, suggesting a link farm or distribution mechanism. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://4gkingdomliving.com/uploads/1/3/0/6/130639136/jagevafaf-valupewati-rabogo-nobubaxatanu.pdf
    • http://truedetermination.shop/uploads/1/3/0/4/130435667/f948f9b8.pdf
    • http://yardsalessource.com/uploads/1/3/0/5/130589095/c1f9b33f7a58a2.pdf
    • http://artcenterlosangeles.org/uploads/1/3/0/6/130621798/140c65210ccae.pdf
    • http://afcointl.com/uploads/1/3/0/4/130483937/sovabudene_rixomifukotaxe_tatuzolozovudet_revunuja.pdf
    • http://sethgangwer.com/uploads/1/3/0/5/130588624/jedanuderabivux.pdf
    • http://aikenkraft.com/uploads/1/3/0/6/130620840/e24c4c.pdf
    • http://anchorstoragelc.com/uploads/1/3/0/7/130776340/pewebexokikowed-sudasiv.pdf
    • http://deannalindstrom.com/uploads/1/3/0/2/130273801/jokerapafudivi-vakefamuz-rokogetujigazex.pdf
    • http://askthetutor.ca/uploads/1/3/0/4/130476188/poluwiwuximomap-rotenobetenagi-veporev-laxefebajavaf.pdf
    • http://researchonunitedstates.com/uploads/1/3/0/3/130313158/3744124.pdf
    • http://drpatty.net/uploads/1/3/0/4/130435766/130435766.html#rachmaninoff+piano+concerto+no.+2+imslp
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014e7.bin
d1f51596a0dd69f3a1ede32e94eb8a078b15d8769f0295262bdc44552ab0cc97		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14E7 11856 bytes
font_01_sfnt_off00008c07.bin
4b38de96dc5408fa02d343175d133a7712f6b5b56726770ce62cb19663bb72e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C07 8728 bytes
font_02_sfnt_off0000a6fa.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA6FA 2652 bytes
font_03_sfnt_off0000afca.bin
0d355b956a9dff8708fe1b1ecbbec6815800202606c49a7e1bd1898687aadaa0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAFCA 16120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.