Malicious PDF — malware analysis report

Static analysis result for SHA-256 b379ba6faa8a4005…

MALICIOUS

PDF

47.9 KB Authoring application: OpenOffice.org
MD5: 14aac49ea88afe8a217ec47654b8efb4 SHA-1: 95f490f7b9a7ad0a92cbac41694d1d16833bd5d5 SHA-256: b379ba6faa8a4005b51e52e8f65af6365a204d5386148610278cf04cd374cca0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded links to external PDF files hosted on various domains. This technique, identified as a 'PDF_SEO_LINK_FARM', is commonly used to distribute malicious content or conduct phishing attacks by overwhelming search engines or redirecting users to malicious sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic-generation intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mytorchdata.com/uploads/1/3/0/5/130551019/luwupexexemut_petijivew.pdf
    • http://avalanchebruidsboeketten.nl/uploads/1/3/0/3/130379147/3917447.pdf
    • http://physics-friends.com/uploads/1/3/0/5/130542948/befexowumumip.pdf
    • http://puertoricandj.com/uploads/1/3/0/2/130273962/webuwebalire.pdf
    • http://dollarsfordoorsllc.com/uploads/1/3/0/2/130270836/zilafu.pdf
    • http://maelabellydance.net/uploads/1/3/0/4/130483697/bisukesebe.pdf
    • http://ogmadota.club/uploads/2020/01/27/1239a50f3c8ef.pdf
    • http://jamigomo.ta-global.site/uploads/2020/01/28/8315790.pdf
    • http://ashleighvaillancourt-winebrenner.com/uploads/1/3/0/6/130621180/2eb4aad90.pdf
    • http://ccjustice.net/uploads/1/3/0/6/130604667/9b75b18.pdf
    • https://darakuge.weebly.com/uploads/1/3/0/5/130551749/wetoj_bipizaboruwuvul_xikapono_pexojowez.pdf
    • http://newbraunfelspestpros.com/uploads/1/3/0/4/130436451/2353082.pdf
    • http://voicesbydcon.com/uploads/1/3/0/2/130271051/kelufapexamumoje.pdf
    • http://musicconnectionproject.org/uploads/1/3/0/6/130620459/xolorukedosivif.pdf
    • http://mkdkarate.com/uploads/1/3/0/4/130436163/9591050.pdf
    • http://christmasinchilhowie.com/uploads/1/3/0/2/130289515/nixek.pdf
    • http://civiccoalition-jerusalem.org/uploads/1/3/0/6/130604744/fimubidum.pdf
    • http://aljbrand.com/uploads/1/3/0/5/130588377/77370ff37.pdf
    • http://kepapeduf.ars-shipping.com/uploads/2020/01/28/7430662.pdf
    • http://paradoxicalrepairs.tech/uploads/2020/01/29/9a2ed5cd2d.pdf
    • http://thesoftearth.com/uploads/1/3/0/4/130483384/wuruf.pdf
    • http://mekotebowo.svd58.ru/uploads/2020/01/27/biwewopexalutudox.pdf
    • http://dajumejaja.cctfi.biz/uploads/2020/01/27/dedakukagam-gedeni.pdf
    • http://100lifelessonswithsistergirl.com/uploads/1/3/0/3/130379527/130379527.html#cfop+pll+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001156.bin
75eb37dbb117280311e7ab8748a8690300670b10a2c30040198436046ca0ad1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1156 7976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.