Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6644be4470ab851…

MALICIOUS

PDF

39.9 KB Authoring application: LibreOffice Draw
MD5: d37aa4ee032424392896bb4cc9d8737b SHA-1: d0b02f2e10c2bfc989e40b5264bb857b47c3fcc5 SHA-256: b6644be4470ab8516b495f93d5d17a4aadf5e515ab251663244eccfc34238d10
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique commonly used for SEO poisoning and distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs likely lead to phishing sites or further malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://film-studio.london/uploads/1/3/0/5/130543538/83fde6ed6bdf79.pdf
    • http://saabiramarkar.com/uploads/1/3/0/7/130739387/3101822.pdf
    • http://noahcompportfolio.com/uploads/1/3/0/6/130604770/kadotaw.pdf
    • http://easyphpwebsites.com/uploads/1/3/0/7/130776324/c9008452b3.pdf
    • http://beingdance.com/uploads/1/3/0/7/130740298/mikifaviz_bopajas_fidojovus_paxogow.pdf
    • http://riciclometalli.it/uploads/1/3/0/3/130324005/leririnatinu-rikisubezodewow-zuxomusebavexom.pdf
    • http://artistsmusesandlovers.com/uploads/1/3/0/6/130604102/ligilipafavaro.pdf
    • http://thepolarroute.com/uploads/1/3/0/6/130622111/juwojan.pdf
    • http://1304shopff.space/uploads/1/3/0/7/130739074/4782802.pdf
    • http://sandybailes.com/uploads/1/3/0/2/130287847/vonataviri-nexave.pdf
    • http://admin.paladarlondon.com/uploads/1/3/0/6/130639800/nobafata-jirixo.pdf
    • http://putakings.com/uploads/1/3/0/3/130379158/ed12d7.pdf
    • http://gaiacatalog.com/uploads/1/3/0/8/130813381/gejenuxunajexogaruj.pdf
    • http://autodiscover.networklakestevens.com/uploads/1/3/0/2/130289243/lubefijupoli.pdf
    • http://loveyourguts.live/uploads/1/3/0/2/130272348/lobot_firufad_fafexe_pujepikib.pdf
    • http://kittenconvict.org/uploads/1/3/0/7/130775052/1153522.pdf
    • http://ibriz.org/uploads/1/3/0/6/130639533/bcf9f3c3b00c49e.pdf
    • http://missioncovenantyouth.org/uploads/1/3/0/2/130289509/04e56d77856.pdf
    • http://coasttocoastroofs.com/uploads/1/3/0/2/130273993/tabesejumatasibemut.pdf
    • http://ametkorca.com/uploads/1/3/0/4/130476082/luvasovot.pdf
    • http://daydreamdynamics.com/uploads/1/3/0/3/130313426/tajinaboputejumivi.pdf
    • http://storystickies.com/uploads/1/3/0/5/130539350/876501.pdf
    • http://restorativemovement.co.uk/uploads/1/3/0/5/130539129/sukozufoxabelepikaj.pdf
    • http://klh20.salon225.com/uploads/1/3/0/7/130775045/130775045.html#alimentos+no+permitidos+por+acido+urico
    • http://gaiacatalog.com/uploads/1/3/0/8/130813381

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003aaa.bin
50aa3c1ee1bb48bc6814ed6ded5bf724f64087d5ff2e87493743e77abaca8e10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3AAA 8064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.