Malicious PDF — malware analysis report

Static analysis result for SHA-256 893e042b173c7b77…

MALICIOUS

PDF

34.2 KB Authoring application: LibreOffice Draw First seen: 2021-07-13
MD5: c80b3bb9069b30b798bbd6ff876e3078 SHA-1: 57ae4cdf3b643d3a5d699f98f8764962abf471c6 SHA-256: 893e042b173c7b7746d4f55390901c01c1fe35e9f07e690124317021a94f6ead
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links likely lead to further malicious content or phishing sites, as indicated by the ClamAV detection of Pdf.Phishing.TtraffRobotInstall-7605656-0. The ML classifier also strongly flagged this PDF as malicious. The document body itself appears to be corrupted or contains obfuscated text, but the presence of numerous Weebly-hosted PDF links is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ranepovasa.weebly.com/uploads/1/3/0/2/130289211/rotasasev_fasubowikoxik_meverigem_jiruro.pdf In PDF document text
    • https://relitazix.weebly.com/uploads/1/3/0/2/130287261/2210831.pdfIn PDF document text
    • https://weliwonilubo.weebly.com/uploads/1/3/0/3/130323156/7155670.pdfIn PDF document text
    • https://vanimajomoxol.weebly.com/uploads/1/3/0/4/130488401/5848714.pdfIn PDF document text
    • https://vadasuwiwot.weebly.com/uploads/1/3/0/3/130313253/lunifuset_zogaxas.pdfIn PDF document text
    • https://wewifafosukez.weebly.com/uploads/1/3/0/4/130475997/560a298.pdfIn PDF document text
    • https://ditazolun.weebly.com/uploads/1/3/0/2/130289386/f2b5e45.pdfIn PDF document text
    • https://vewariwovosu.weebly.com/uploads/1/3/0/4/130435583/bawora-zuxad-zunizeke.pdfIn PDF document text
    • https://mivefoguver.weebly.com/uploads/1/3/0/3/130313440/4554bb413.pdfIn PDF document text
    • https://weliwonilubo.weebly.com/uploads/1/3/0/3/130323156/zanokubutazon.pdfIn PDF document text
    • https://timeleno.weebly.com/uploads/1/3/0/3/130323968/9870310.pdfIn PDF document text
    • https://muwosage.weebly.com/uploads/1/3/0/2/130289546/9279079.pdfIn PDF document text
    • https://xaritakuvakozav.weebly.com/uploads/1/3/0/3/130324416/ab5eb7dd5ad535.pdfIn PDF document text
    • https://voduboke.weebly.com/uploads/1/3/0/2/130274338/betekunoxelu-rolokoliw-mibumomogeva.pdfIn PDF document text
    • https://vopabibejo.weebly.com/uploads/1/3/0/4/130476266/jopuxurupapevosirad.pdfIn PDF document text
    • https://vidomaxe.weebly.com/uploads/1/3/0/4/130483457/8409021.pdfIn PDF document text
    • https://jutugagerubo.weebly.com/uploads/1/3/0/4/130479044/e3a922967.pdfIn PDF document text
    • https://sutezudadezizol.weebly.com/uploads/1/3/0/3/130323462/bigiti.pdfIn PDF document text
    • https://movabizuden.weebly.com/uploads/1/3/0/2/130274032/minuzusox.pdfIn PDF document text
    • https://jibusipefakarul.weebly.com/uploads/1/3/0/3/130313037/zekapu-vaxobivubovu-rajur-libalupikivugul.pdfIn PDF document text
    • https://patogadinom.weebly.com/uploads/1/3/0/4/130483703/5395208.pdfIn PDF document text
    • https://sakefozam.weebly.com/uploads/1/3/0/2/130291555/5e6a86.pdfIn PDF document text
    • https://robupolidelope.weebly.com/uploads/1/3/0/3/130313111/xefidupumekimamun.pdfIn PDF document text
    • https://devopibim.weebly.com/uploads/1/3/0/4/130476563/6280830.pdfIn PDF document text
    • https://subaviji.weebly.com/uploads/1/3/0/3/130323324/130323324.html#carter+cambridge+grammar+of+english+pdfIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001684.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1684 7788 bytes
SHA-256: 53f7802271aaf5ca14ed19d80dd93a1b84ce6d02bf73bb5a74d51d59e28f75c8

Open this report in the interactive analyzer, or submit your own file for analysis.