Malicious PDF — malware analysis report

Static analysis result for SHA-256 b384144ed6e6b92e…

MALICIOUS

PDF

43.2 KB Authoring application: LibreOffice Draw First seen: 2020-09-24
MD5: b2d5bee1290db0b716d23c282d5d883b SHA-1: 14d7f63ce003f7e3588d91230d77fa47ad567f3e SHA-256: b384144ed6e6b92eb0ca862833bdb6492ab236583c1e758670b4e4d4371d5e37
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, aligning with the PDF_SEO_LINK_FARM heuristic. The document body is heavily obfuscated and does not provide clear instructions, but the overall structure suggests a phishing or content distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thevisualnarrative.com/uploads/1/3/0/6/130621574/padegibifofarupurufe.pdf In PDF document text
    • http://amksecurities.com/uploads/1/3/0/2/130291673/pujetiwerutifiratiso.pdfIn PDF document text
    • http://bendetl.fr/uploads/1/3/0/4/130490036/3939169.pdfIn PDF document text
    • http://ensembleeroicalondon.com/uploads/1/3/0/2/130289675/veboxujo.pdfIn PDF document text
    • http://lamug.bungartz.ru/uploads/2020/01/28/fasaba.pdfIn PDF document text
    • http://nloilfield.com/uploads/1/3/0/5/130588989/8035583.pdfIn PDF document text
    • http://dhshighschool.com/uploads/1/3/0/2/130273625/tumunebujozu.pdfIn PDF document text
    • http://michaeldietze.net/uploads/1/3/0/3/130323110/eb1354b2.pdfIn PDF document text
    • http://familymedicineokc.com/uploads/1/3/0/5/130550833/9963247.pdfIn PDF document text
    • http://mistykwilliams.com/uploads/1/3/0/2/130288552/3f061782f.pdfIn PDF document text
    • http://nationalbusinesseducationweek.com/uploads/1/3/0/3/130323568/zuzeviwupusu.pdfIn PDF document text
    • http://carprice.pw/uploads/2020/01/28/7287191.pdfIn PDF document text
    • http://juliejesternewman.com/uploads/1/3/0/4/130483087/130483087.html#funeral+service+bible+verses+pdfIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014ad.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x14AD 8828 bytes
SHA-256: e61ea4e96e178791c5055039845d079ef04528e27875eb98a6e90b89c680e2be

Open this report in the interactive analyzer, or submit your own file for analysis.