Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6326dd158bf1d46…

MALICIOUS

PDF

35.0 KB Authoring application: LibreOffice Draw
MD5: 1a10afe819af660562ef6029a91a68b8 SHA-1: 63f9619377ac00acd35c260bd87f39c06f396dc9 SHA-256: a6326dd158bf1d46ee5a0f89599d754f974990ba9c5081e6091502f695aa1a9f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also strongly suggest malicious intent. The document body, though heavily corrupted, contains references to URLs that are likely part of this link farm. The primary attack pattern appears to be SEO manipulation or redirection to malicious sites through a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://leladizuxem.weebly.com/uploads/1/3/0/4/130489572/wewapo.pdf
    • http://nuxevu.easternbusinessdistrict.online/uploads/2020/01/28/razepu_sigav.pdf
    • http://rockymountainalpacas.com/uploads/1/3/0/5/130539016/8e5975.pdf
    • https://fonamezopev.weebly.com/uploads/1/3/0/4/130483384/tokazoliwas-sexolarimotugik-nogip.pdf
    • http://magetointerieurbouw.com/uploads/1/3/0/6/130604667/jebokamijurux_kazufob_fejogivodis_susuzomedaz.pdf
    • https://tuvudagevigova.weebly.com/uploads/1/3/0/5/130540609/076a1d0e265.pdf
    • http://squirrellysheep.com/uploads/1/3/0/2/130288915/0991c1a57.pdf
    • http://youthkings.net/uploads/1/3/0/6/130620546/kiluxos.pdf
    • http://jawamexesi.lada-detail.su/uploads/2020/01/28/7958766.pdf
    • http://bivegema.suddenweblink.online/uploads/2020/01/28/fokedanovivaxoderil.pdf
    • http://zukacreative.com/uploads/1/3/0/3/130323811/tadofexulakofiv.pdf
    • https://setilinep.weebly.com/uploads/1/3/0/5/130588876/kojikavupabidumudo.pdf
    • http://bifejo.alcoprofi.com/uploads/2020/01/27/gosemuga_podageti.pdf
    • http://fit.rizysac.xyz/uploads/2020/01/27/jutepogo_jejosovesasof.pdf
    • http://urfacefix.com/uploads/1/3/0/4/130476573/130476573.html#ultimate+guitar+songbook+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001441.bin
8efac249c241281f3015ed842a43d5e6a494653d35c8fea90864a58df64b4b59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1441 8004 bytes
font_01_sfnt_off00004de0.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DE0 1708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.