PDF malware analysis — malicious · b91dd2a2ce389a0a

MALICIOUS

PDF

56.0 KB Authoring application: OpenOffice Draw

MD5: 1ca395674b83f8a6835a20f8e991ee8e SHA-1: b80e7e793137f3ebe57e386ed3ec62aa7588cd80 SHA-256: b91dd2a2ce389a0a642ea5e2670f3409dd7c87fc588fe6b751f649ec8a04269d

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, directing users to download other PDF files. The document body, though partially corrupted, suggests a lure related to educational materials ('Kcse past papers 2016 with answers'). This indicates a phishing or content-luring campaign designed to distribute further malicious content.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://buzevogijuxebil.weebly.com/uploads/1/3/0/5/130543134/668ac8edfd.pdf
- http://blackmarksproduction.com/uploads/1/3/0/3/130379098/kojajotizuvido.pdf
- http://nutritiongirl.org/uploads/1/3/0/6/130621401/713054235e0d.pdf
- http://trophypointcontracting.com/uploads/1/3/0/4/130483230/5465502.pdf
- http://nataliefernadez.com/uploads/1/3/0/6/130639770/5fd49c33.pdf
- http://thecovfefefile.com/uploads/1/3/0/5/130550874/4150405.pdf
- http://aysenurguler.com/uploads/1/3/0/6/130621964/zumug-menowufux-xokozad.pdf
- http://fetagumalo.bikerpublic.com/uploads/2020/01/29/karagu.pdf
- http://chaiyee.com/uploads/1/3/0/5/130550711/279afc756.pdf
- http://nifinadaki.ilikepizza.ru/uploads/2020/01/28/6422765.pdf
- http://texassaddlefitter.com/uploads/1/3/0/6/130605493/takoganatesin_valesonidaje_kekokevedinefu.pdf
- http://arowedesignsshop.com/uploads/1/3/0/3/130379523/a841b4965d1.pdf
- https://tiroxogube.weebly.com/uploads/1/3/0/5/130590672/fde89704.pdf
- http://ramonmaciamusica.com/uploads/1/3/0/6/130604247/1329489.pdf
- http://midwaytacticalgear.com/uploads/1/3/0/2/130289163/zazomuraneni.pdf
- http://miztcomedy.com/uploads/1/3/0/6/130620578/9660874.pdf
- http://venofujuw.prorealgame.ru/uploads/2020/01/28/7576297.pdf
- http://bobisanerd.com/uploads/1/3/0/5/130588508/kuberimunemi-sifenetotomane-kurefajuwewiris-rekak.pdf
- http://mlstourney.com/uploads/1/3/0/5/130540823/pepiberusir.pdf
- https://jarezuvarasor.weebly.com/uploads/1/3/0/5/130538842/gofemagi.pdf
- http://desertskydoodles.com/uploads/1/3/0/2/130289341/wabifewukinop.pdf
- http://chickadeerevisions.com/uploads/1/3/0/2/130271244/ponowolas-jonuvufixu-junomudunetitok-mitefufulepiz.pdf
- http://okpromotional.com/uploads/1/3/0/4/130489038/fodikaxugita_zilimeko.pdf
- http://colorfulstudio.ru/uploads/2020/01/28/metotunitu-xakaso-kadosejajafol-vuvitapesasa.pdf
- http://thesingbabysingshow.com/uploads/1/3/0/2/130270941/130270941.html#kcse+past+papers+2016+with+answers

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000184c.bin` `c1b0e5eb16ba9d7430f33b41213364f95f7fec540bddc63da2b9ea278c3c9710`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x184C	8292 bytes
`font_01_sfnt_off00009fb3.bin` `d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9FB3	2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.