Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ac4f8b56c32ed82…

MALICIOUS

PDF

138.4 KB Authoring application: LibreOffice
MD5: 12c43d2d1694b3502d5a1d56a1654046 SHA-1: 9a404d568bceb7de244969943ff294973af0f197 SHA-256: 9ac4f8b56c32ed82ecc490dcbac75239ef7f55c01c3c1981cca23c24060da9ef
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or distribution mechanism. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URLs are likely used to redirect users to malicious content or further stages of an attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://whiddenprinting.com/uploads/1/3/0/6/130639700/c5fce07de2.pdf
    • http://alisonreber.com/uploads/1/3/0/7/130740097/9533084.pdf
    • http://warrenbaker.org/uploads/1/3/0/6/130604500/navigabipefiw_lerunikos_jutonagin.pdf
    • http://rootholden.com/uploads/1/3/0/4/130483286/wifunivemujese_bigedizux_wositarebiz_menilerodejonud.pdf
    • http://kchcapital.com/uploads/1/3/0/6/130620681/d6faa.pdf
    • http://diegobarrenechea.art/uploads/1/3/0/7/130775055/2139780.pdf
    • http://www.fbsaccounting.net/uploads/1/3/0/3/130312986/398236b041.pdf
    • http://www.figoensemble.com/uploads/1/3/0/6/130639775/feropofupakofa-sugetugozufew.pdf
    • http://mentalis.info/uploads/1/3/0/2/130287973/6475816.pdf
    • http://habari.com.au/uploads/1/3/0/3/130313588/9319192.pdf
    • http://rubysnap.org/uploads/1/3/0/3/130313319/1864097.pdf
    • http://www.aclifecoaching.com/uploads/1/3/0/8/130873794/8842732.pdf
    • http://cibailey.com/uploads/1/3/0/5/130589186/xenevog-fobulatupav.pdf
    • http://michellevp.com/uploads/1/3/0/7/130775503/godevubumowub.pdf
    • http://istaripictures.com/uploads/1/3/0/6/130603785/vogijep.pdf
    • http://sylvainetlesfilles.com/uploads/1/3/0/6/130620746/6af8c4.pdf
    • http://mka-remix.com/uploads/1/3/0/6/130620674/f1430c110951.pdf
    • http://victordata.net/uploads/1/3/0/6/130604615/77e6d863ec9fa4.pdf
    • http://teamsparkwellness.com/uploads/1/3/0/4/130476733/fipinepupufawuvugub.pdf
    • http://x0723080xstreamtravel.xsideas.com/uploads/1/3/0/6/130621148/130621148.html#aditya+hridaya+stotra+book+pdf+telugu

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000167d1.bin
1cbcc6ccb4c0e39095e587a84d88e28c288fced985aab23597519fc935a1653b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x167D1 1428 bytes
font_01_sfnt_off00016f89.bin
9f9dfb81266e753030d6d9cb183b294038be6282ac1178a8d89d865ad97cc925		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16F89 17536 bytes
font_02_sfnt_off00018ca8.bin
e294a9136f76a74ef1a113aff6b2a750ae5fa50cf106286e5610aaf20ff9e95d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18CA8 20328 bytes
font_03_sfnt_off0001c6c5.bin
b37aead474682e20f76ba6ac3f3b2c4792a5073ed6c1e1f02fe410f78d26d74c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C6C5 8024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.