Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c76eb43b6f50c35…

MALICIOUS

PDF

42.0 KB Authoring application: LibreOffice
MD5: 67de47620c583ac1990d8ee6424ffdbd SHA-1: 90c68dfbfcf7ae15fb7ba7b46f777e4dbf3a8d0d SHA-256: 6c76eb43b6f50c351271b8ff448f01f6235e67fab52d9a5383bc69cc0e1bf52f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs, many of which point to other PDF files, suggesting a link farm for SEO or malicious redirection. The document body contains a mix of movie download lures and garbled text, likely intended to obscure the malicious nature of the links. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution via these linked PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://newhavenmo.com/uploads/1/3/0/2/130271143/1812469.pdf
    • http://liamatera.net/uploads/1/3/0/6/130639513/mevifewafe.pdf
    • http://foxgrove.tech/uploads/1/3/0/6/130640059/luxet_kugopupowugodu_bawina.pdf
    • http://kitchensdoorsanddrawers.com/uploads/1/3/0/5/130543671/8010108.pdf
    • http://k2zmedia.com/uploads/1/3/0/2/130291779/9306130.pdf
    • http://cindybettinger.com/uploads/1/3/0/6/130639875/gepakipevuvebila.pdf
    • http://ledo.bimbasket.ru/uploads/2020/01/28/lovunatabid_wotubufosuna_dukerap_pogimikixum.pdf
    • http://vergisdigitalmarketing.com/uploads/1/3/0/6/130622042/feragetafolerik-zugoxidu-zikoragula.pdf
    • http://mypartypro.net/uploads/1/3/0/4/130483294/8439109.pdf
    • http://miracleinabucket.com/uploads/1/3/0/7/130739509/130739509.html#yaariyan+movie+download+worldfree4u
    • http://www.fontrix.comhttp://www.nhncorp.com

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001293.bin
aded1ff63fcc4023017e4dd112638ec98d17fe973bdf33bd081e3c5f33080550		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1293 8388 bytes
font_01_sfnt_off00006157.bin
09980af06aa32beede8e777aa10233923e4f4a7e5cc0f889807f36331cd09c44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6157 1584 bytes
font_02_sfnt_off00006926.bin
e56f5db8faf554166087922806b3819c377976d94af14c6b8a512386de68c265		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6926 2056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.