Malicious PDF — malware analysis report

Static analysis result for SHA-256 74b989c46af239a6…

MALICIOUS

PDF

36.0 KB Authoring application: LibreOffice Draw
MD5: 3b7d4b088aeea181114f15a3f8ddb638 SHA-1: b66ca13f4c28f92634ae81d4221dee54e667307f SHA-256: 74b989c46af239a63bd46abb6e596a3ed4711dc100c1bbb2288a417725ebad34
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a large number of embedded URLs, many of which appear to be part of a link farm designed to redirect users to malicious content. The document body explicitly prompts the user to download and install Adobe Acrobat Reader, a common lure for users to install malicious browser extensions or updates. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mairu-tabi-bonbigirl.com/uploads/1/3/0/5/130539714/gigagowazorufiwobi.pdf
    • http://greissbuilders.com/uploads/1/3/0/2/130289681/gapagaro.pdf
    • http://beseecherllc.com/uploads/1/3/0/4/130483753/bematiler-zozazupa.pdf
    • http://thehatstore.us/uploads/1/3/0/5/130551303/vunatoxenuju.pdf
    • http://reikisoundbliss.com/uploads/1/3/0/5/130590724/3614733.pdf
    • http://agcomllc.net/uploads/1/3/0/5/130543682/82eacb67c3960.pdf
    • http://angelafrankel.com/uploads/1/3/0/6/130620321/0779254ced5.pdf
    • http://beavercreekoutdoors.com/uploads/1/3/0/6/130604896/1840612.pdf
    • http://saferescuefordogs.com/uploads/1/3/0/8/130815140/3394c9d7a9a0c7.pdf
    • http://4spn.com/uploads/1/3/0/4/130435644/jonovonoxemok.pdf
    • http://www.thepiercelawoffice.com/uploads/1/3/0/8/130814680/budax-gelifo.pdf
    • http://camposdeprovence.com/uploads/1/3/0/7/130775958/ff93f1.pdf
    • http://jalksjdlfkjslkjf01.space/uploads/1/3/0/5/130588213/7094794.pdf
    • http://randomlyincoherent.com/uploads/1/3/0/5/130551129/9f794caa.pdf
    • http://mentok.net/uploads/1/3/0/3/130313010/pujenupugumu.pdf
    • http://monkeesconcerts.com/uploads/1/3/0/4/130436033/7248545.pdf
    • http://studyinfo.ch/uploads/1/3/0/4/130475989/ribupa.pdf
    • http://theyouthchallenge.com/uploads/1/3/0/7/130775048/jadoked.pdf
    • http://mensajeriateamgo.com/uploads/1/3/0/8/130873849/gupajixo.pdf
    • http://oscarthedumpertruck.com/uploads/1/3/0/3/130379314/d050a3d4f7a182.pdf
    • http://luguimaraes.com/uploads/1/3/0/2/130272362/7703116.pdf
    • http://bigdsuperfoods.com/uploads/1/3/0/6/130604911/130604911.html#adobe+acrobat+reader+free+download+and+install

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c11.bin
bad117b1bc2ec7ec11cd78d17a813ef57555f99c989402c2a01c31e165c5a88f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C11 7952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.