Malicious PDF — malware analysis report

Static analysis result for SHA-256 a83379d633dcafc5…

MALICIOUS

PDF

40.1 KB Authoring application: OpenOffice Draw
MD5: b5bcc25585f55c3e489c387bc489b69b SHA-1: 05423d873116c68800985836c83be35ee51887e4 SHA-256: a83379d633dcafc5a939009e785a3fd9a54413e6d2b9a9f40cbb6c2a59caa909
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic and ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall'. The ML classifier also strongly flagged this file as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tapthesky.org/uploads/1/3/0/6/130621053/votavu.pdf
    • http://mymoneyways.com/uploads/1/3/0/5/130551402/fetarukefarinuk.pdf
    • http://minixclusive.com/uploads/1/3/0/5/130550980/mizeseg_vosabumi_wogazejerud.pdf
    • http://biztriage.com/uploads/1/3/0/6/130621456/91fc8a16.pdf
    • http://rainboascales.com/uploads/1/3/0/3/130313613/luxib.pdf
    • http://dug.copyrightcontact-10000671253681.com/uploads/2020/01/29/9ca8bce46ba58.pdf
    • http://bwhousein.com/uploads/1/3/0/6/130639963/0eb39678b.pdf
    • http://lincolnbailbonds.net/uploads/1/3/0/2/130289809/lafivekuwofusal_newozofada_torutig.pdf
    • http://cfthomas.com/uploads/1/3/0/4/130490006/130490006.html#gradle+latest+version+android

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001247.bin
ec1771969db1e3434bc759cc0b031800b10de16e239efa6dbbbb39ccceba1237		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1247 9244 bytes
font_01_sfnt_off000061d1.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61D1 2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.