Malicious PDF — malware analysis report

Static analysis result for SHA-256 83398668c77610bc…

MALICIOUS

PDF

44.8 KB Authoring application: OpenOffice Draw First seen: 2021-02-18
MD5: 10b1cd9b14baf0cfd19d04715e137cfd SHA-1: 5d6f255985fc4be58ae36fea7cb9509621906b82 SHA-256: 83398668c77610bc6e73e49d0a0e5352e560e7220d178350ab798ab178d70ff9
160 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xilajobuzaluwu.weebly.com/uploads/1/3/0/3/130313176/5826459.pdf In PDF document text
    • http://mosbeton24.ru/uploads/2020/01/28/tojevo_kujojive_wakinetorapuga_tunifi.pdfIn PDF document text
    • http://kellettcommunications.com/uploads/1/3/0/4/130489131/8509432.pdfIn PDF document text
    • http://northbridgeeg.com/uploads/1/3/0/6/130620172/7576920.pdfIn PDF document text
    • http://ludipu.adwords-about.com/uploads/2020/01/28/mumelezokeg.pdfIn PDF document text
    • http://bon.rzgraphics.tech/uploads/2020/01/27/wigisaforifutat-rogagizereb.pdfIn PDF document text
    • http://pab.stat-roditelyami.ru/uploads/2020/01/27/tezusevomolosuf_zaxukejetoze_danopi.pdfIn PDF document text
    • https://puzuxorufi.weebly.com/uploads/1/3/0/5/130544386/49ebe8.pdfIn PDF document text
    • http://foz.vipiski-besplatno64.icu/uploads/2020/01/28/lebal.pdfIn PDF document text
    • http://thingstodoambercove.com/uploads/1/3/0/5/130547418/folavifurosu.pdfIn PDF document text
    • http://nomutixube.rosmedi.ru/uploads/2020/01/27/xezaseruvax.pdfIn PDF document text
    • https://xakokazamajo.weebly.com/uploads/1/3/0/5/130544652/lorufodoxeli_sanububoligu_xonefulixivukab.pdfIn PDF document text
    • https://wabusefo.weebly.com/uploads/1/3/0/2/130287940/vogevakabixanusi.pdfIn PDF document text
    • http://urbanfreshfarms.biz/uploads/1/3/0/5/130590215/juzuw.pdfIn PDF document text
    • http://channelingthelight.com/uploads/1/3/0/4/130477945/ziberol.pdfIn PDF document text
    • http://sightseethecity.com/uploads/1/3/0/5/130542831/paxafifolixow.pdfIn PDF document text
    • http://shopsone3.fun/uploads/2020/01/28/ca0bed.pdfIn PDF document text
    • http://jefffiegerdesigns.com/uploads/1/3/0/6/130604838/sefezexupul-rubivufesib-ravodo-teraj.pdfIn PDF document text
    • http://kizorolaxa.transcom78.ru/uploads/2020/01/29/f0581917348c51.pdfIn PDF document text
    • http://emaxb.com/uploads/2020/01/27/wejewajek.pdfIn PDF document text
    • http://pigenem.olegdfr.fr/uploads/2020/01/28/sebusi.pdfIn PDF document text
    • http://abqroofs.com/uploads/1/3/0/3/130313346/130313346.html#comic+book+panel+layout+templateIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016a9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x16A9 8080 bytes
SHA-256: fb9572f41d0cda4f5193f5eb949216076db87b15f1af40ff95c972fec73e89f2
font_01_sfnt_off00006837.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6837 16064 bytes
SHA-256: fc0bcc9d08d908b8b1287d0ab2df4e3a5be78b1d1690d8efe3ff9d2c54ab5679