Malicious PDF — malware analysis report

Static analysis result for SHA-256 9570164f5c6b4614…

MALICIOUS

PDF

49.1 KB Authoring application: LibreOffice Draw
MD5: b1be77bc464f708106666a7189370e16 SHA-1: d129467070f43e0aa3abe6cc9a68ed321b90d993 SHA-256: 9570164f5c6b461407d679ddd8ed21ac9e27e880dca542b4a0f997a1624b245c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, which strongly suggests a phishing or SEO manipulation campaign. The ClamAV detection and ML classifier further support its malicious nature. The document body contains garbled text and a few URLs, but the primary malicious activity appears to be the mass embedding of external links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://happyvids.com/uploads/1/3/0/6/130620873/3584873.pdf
    • http://moneynerd.net/uploads/1/3/0/6/130621086/fibokexowiline.pdf
    • http://blacklocustlumber.eu/uploads/1/3/0/6/130621257/444ca6c3ff1574f.pdf
    • http://delightyourspirit.com/uploads/1/3/0/4/130476248/tukonipiwidi_wokude_kivaj.pdf
    • http://meetlia.store/uploads/1/3/0/8/130813409/48f1022df6f81c8.pdf
    • http://runsheetapp.com/uploads/1/3/0/4/130489367/a5b66612.pdf
    • http://tommycookdrums.com/uploads/1/3/0/2/130271038/jufafojaguli-nizabixeji.pdf
    • http://gigozupewu.komokom.ru/uploads/2020/01/29/085e35.pdf
    • http://seydarebai.com/uploads/1/3/0/8/130873930/9205935.pdf
    • http://whrsdinner.com/uploads/1/3/0/5/130542780/kipirix.pdf
    • https://vogotevuju.weebly.com/uploads/1/3/0/5/130589239/kozinefipadevir.pdf
    • http://succulent.media/uploads/1/3/0/7/130739375/fofuxika_ruforusuxed_zuguj_vexone.pdf
    • http://adoptme.info/uploads/1/3/0/8/130873973/130873973.html#negative+pressure+pulmonary+edema+icd+10

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013bc.bin
0801b9788efba534b622f5023c5174d7f4bf8778480a644b01589c361223bc4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13BC 9088 bytes
font_01_sfnt_off00006bd4.bin
33d0404465bbc0ce3bbd6d7dc579b28366e2a365c03c24711b24ab5cbe567aeb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BD4 16216 bytes
font_02_sfnt_off000080c7.bin
5745d062e84a310dca320cb45877f12536b710682adbc25cf03d116cb705ec80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80C7 4060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.