Malicious PDF — malware analysis report

Static analysis result for SHA-256 b2b0473dd13788bb…

MALICIOUS

PDF

49.5 KB Authoring application: LibreOffice Draw
MD5: ebdcd1781c051b940f53fc809723615d SHA-1: 3c42a5139fce6b5d30b8b2776490da95559b5d86 SHA-256: b2b0473dd13788bba734ecddad8a3f8d7b4ed8a71b70b3b603ef99eab1a2582a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical finding for a large external link farm and a ClamAV detection for Pdf.Phishing.TtraffRobotInstall. The embedded URLs, many hosted on Weebly and other dynamic DNS services, suggest a phishing or traffic-driving campaign. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bisogovopiwafa.weebly.com/uploads/1/3/0/3/130379115/polarofovasuvagiz.pdf
    • http://vogam.qpeqwqj.info/uploads/2020/01/27/paxalipovulo_wijekitoboma_waxojenuvonux.pdf
    • https://dawigepiberaba.weebly.com/uploads/1/3/0/4/130476004/maguram-toxijagage.pdf
    • https://wezulakukamegel.weebly.com/uploads/1/3/0/6/130603859/d0795a1ef2c38.pdf
    • https://zitapufud.weebly.com/uploads/1/3/0/5/130538988/wekezut.pdf
    • https://rigokulawon.weebly.com/uploads/1/3/0/2/130289395/8881646.pdf
    • http://kov.mariocoin.ru/uploads/2020/01/28/0aa502b0c28.pdf
    • https://zisitunosozakap.weebly.com/uploads/1/3/0/3/130323723/c9ccad06.pdf
    • https://ragobiredufufaf.weebly.com/uploads/1/3/0/4/130483961/beboxilupog.pdf
    • http://ant-tur.ru/uploads/2020/01/27/419161.pdf
    • http://gonabeje.bpthere.club/uploads/2020/01/28/f44d88f8dc.pdf
    • http://gazed.maniacalhardware.ru/uploads/2020/01/28/tazufoledibopudi.pdf
    • http://rajojare.paiementfm.fr/uploads/2020/01/27/1187098.pdf
    • http://bulewabij.penostroy.com/uploads/2020/01/28/d4d61f.pdf
    • https://desarofopeduzip.weebly.com/uploads/1/3/0/2/130289653/c37e44d0.pdf
    • https://ruroruvebenala.weebly.com/uploads/1/3/0/5/130550714/setizosax.pdf
    • https://wagefelom.weebly.com/uploads/1/3/0/2/130287971/826ca3a.pdf
    • http://posabo.vetrics.ru/uploads/2020/01/27/takabebapasogutajele.pdf
    • http://sewo.hrystalev-vasilyev.ru/uploads/2020/01/27/27263eee1823.pdf
    • http://xive.autoobzors.ru/uploads/2020/01/28/xolasumusin_sudanosalizedu.pdf
    • https://rafilaluxonijew.weebly.com/uploads/1/3/0/4/130476150/130476150.html#lonely+planet+vietnam+cambodia+laos+

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001650.bin
e204c5650e677738b34ab8990f3604d9a29d1ead238e8c6b1475749894389f2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1650 9272 bytes
font_01_sfnt_off00007957.bin
c7bc28977c23cac38f5215e921ed56f2c538741eeffccfe074e4d3d95a0e022a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7957 16400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.