Malicious PDF — malware analysis report

Static analysis result for SHA-256 9f1a8a9661c0c2dd…

MALICIOUS

PDF

43.2 KB Authoring application: LibreOffice
MD5: ecc9fb1df99d3599f30917f117283f4a SHA-1: 7238110dfc91930ef5bc9443551402948b0bda22 SHA-256: 9f1a8a9661c0c2ddb1527d3a2af21ca508de1e6a857624a124b081c33328610e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the 'PDF_SEO_LINK_FARM' heuristic. The ML classifier also strongly flagged this PDF as malicious. The document body, though truncated, mentions 'Programa para juntar fotos em pdf', which could be a lure to disguise the malicious nature of the links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bethrabin.com/uploads/1/3/0/6/130621387/fofegisebixa-maxoxapil-mikubabatuxadap.pdf
    • http://www.irkvalleyhangout.com/uploads/1/3/0/6/130639093/3231235.pdf
    • http://consultoriaconsciente.com/uploads/1/3/0/4/130491319/mefoli.pdf
    • http://jlc.press/uploads/1/3/0/3/130313218/5189280.pdf
    • http://athenahighlibrary.com/uploads/1/3/0/5/130589315/wusasapodezufup.pdf
    • http://go15forum.com/uploads/1/3/0/2/130272291/6059224.pdf
    • http://325986690869568534.com/uploads/1/3/0/2/130287548/6436737.pdf
    • http://amckbc.com/uploads/1/3/0/2/130287882/604413.pdf
    • http://paintings.marycatherinestarr.com/uploads/1/3/0/7/130775443/928218.pdf
    • http://desatascossantfeliudellobregat.com/uploads/1/3/0/6/130621390/veratanofenilaf.pdf
    • http://bhbwater.com/uploads/1/3/0/6/130622024/94e52f6274d.pdf
    • http://www.cannabisjobopenings.com/uploads/1/3/0/5/130550770/ba435b.pdf
    • http://triosdl.com/uploads/1/3/0/5/130588968/8319725.pdf
    • http://johnvthephotographer.online/uploads/1/3/0/6/130603756/bobunizunoj.pdf
    • http://timyang.com/uploads/1/3/0/7/130776611/lulifilidejutuserus.pdf
    • http://www.zacharyjonesre.com/uploads/1/3/0/7/130776698/gigubonoxotexarepoxu.pdf
    • http://hvo48.slpny.com/uploads/1/3/0/6/130622076/130622076.html#programa+para+juntar+fotos+em+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004afb.bin
22028a9c2202c16784975e784bad307392c21899ebaa9e0fdf9b0a3117da22d2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AFB 10008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.