Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a8a29bd25643f1e…

MALICIOUS

PDF

31.8 KB Authoring application: LibreOffice
MD5: 8193889438bbb98661359139f7357062 SHA-1: 1b6aa96b37a2ae948f6528f0bcc7ab8b28583e4f SHA-256: 6a8a29bd25643f1e32118000ab02953e9554d9c7845dc24ef52a49374f158271
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or traffic redirection scheme. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mta-sts.mail.southconestudyabroad.com/uploads/1/3/0/2/130287257/podosunemurodolaxev.pdf
    • http://musicminded.org/uploads/1/3/0/2/130289179/jilawubodime.pdf
    • http://rebeccalaurensanders.com/uploads/1/3/0/7/130776047/4d7004668.pdf
    • http://kenntnisconsulting.com/uploads/1/3/0/2/130272406/pijakateralakuf.pdf
    • http://maketober.com/uploads/1/3/0/8/130814909/wibotosubozufezikor.pdf
    • http://nextig.com/uploads/1/3/0/6/130603822/mifetoja_nilotawofu_zorebediwu.pdf
    • http://myallscent.com/uploads/1/3/0/6/130621223/db636e29904e5d.pdf
    • http://crownwife.com/uploads/1/3/0/4/130476732/betugofirinesamo.pdf
    • http://hypernox.net/uploads/1/3/0/3/130379428/0d1763efa56.pdf
    • http://stauffstauff.com/uploads/1/3/0/6/130621706/8924234.pdf
    • http://salidamagnetica.com/uploads/1/3/0/5/130552034/13ab633b24.pdf
    • http://hergunsafety.com/uploads/1/3/0/6/130604599/mejonivobimuwefokoxo.pdf
    • http://cageymoon.com/uploads/1/3/0/5/130543057/vinewigejasa-nonin-puwigunotogora-tenotazevi.pdf
    • http://marcapromocionales.com/uploads/1/3/0/5/130551051/dipemijib.pdf
    • http://baloyatees.com/uploads/1/3/0/6/130639343/zivogoxaxunif.pdf
    • http://heygirlglam.com/uploads/1/3/0/7/130775214/xiwanurovoza-kepur.pdf
    • http://pcbaugh.com/uploads/1/3/0/7/130776104/8370982.pdf
    • http://kenmorrisforsheriff.com/uploads/1/3/0/5/130543121/bekogidufolaj-vodut-nugovegeja.pdf
    • http://dannybazilriley.com/uploads/1/3/0/5/130588778/0595b812d68af6.pdf
    • http://kellyandirvine.com/uploads/1/3/0/4/130436261/wudiriminopal_jegipopewe_bazuzejubarilex_zudideped.pdf
    • http://europlast-okna.pl/uploads/1/3/0/2/130289733/xanuvetagexesugidobi.pdf
    • http://nzcarcovers.com/uploads/1/3/0/7/130776336/cbf63419a661b3f.pdf
    • http://thedirectcorp.com/uploads/1/3/0/6/130620613/1398757.pdf
    • http://bi5q2l.salon225.com/uploads/1/3/0/6/130622091/130622091.html#youtube+mamma+mia+our+last+summer+lyrics

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001b8a.bin
0b65d285befa9258b1c79ece22a62aa395144781dd1e621f158cfb2c7903ff31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B8A 7016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.