Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd05de0c7e00c489…

MALICIOUS

PDF

42.7 KB Authoring application: OpenOffice.org
MD5: f971938ec35b6fd8f68ed2f8fbdc060a SHA-1: 5a2b7f238cbf8700fa7e467624dc34be863b6f23 SHA-256: bd05de0c7e00c48985c80dc6e1af1ebffa83a1d3304a1a28a189ba47e13ea516
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a machine learning classifier indicated a high probability of maliciousness. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous external links, with the primary domain being 'extrade.website'. The document body contains many URLs pointing to PDF files on various domains, suggesting a phishing or content distribution scheme. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://extrade.website/uploads/2020/01/28/rabovik.pdf
    • http://raxav.maisfutebol.online/uploads/2020/01/29/7946837.pdf
    • https://zemebifa.weebly.com/uploads/1/3/0/4/130475928/kunifidoket.pdf
    • http://lhxp.ru/uploads/2020/01/27/ab063.pdf
    • https://lokobudimitijut.weebly.com/uploads/1/3/0/4/130483385/jopibanowow.pdf
    • http://djpschool.com/uploads/2020/01/27/9a6596e9d4d.pdf
    • http://bungartz.ru/uploads/2020/01/28/5045011.pdf
    • https://valugoxufumegig.weebly.com/uploads/1/3/0/4/130483230/5dbb129.pdf
    • http://ludu.studentcareer.ru/uploads/2020/01/29/zebadimaf_pebovavaroga.pdf
    • http://fatinozik.zhenskiedni.ru/uploads/2020/01/28/8331664.pdf
    • http://der.0406shopps03.fun/uploads/2020/01/27/b0f4c0bdefd2cd.pdf
    • http://domekor.theodoro.ru/uploads/2020/01/28/cd6e5.pdf
    • http://zabisege.leks-dveri.ru/uploads/2020/01/27/4329007.pdf
    • https://morarafaf.weebly.com/uploads/1/3/0/5/130590224/130590224.html#definition+of+acute+pulmonary+edema

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ea.bin
99b7e63ac7d7d1e6f90fdf1a4a0004384b86b9552f55507d58c4ac74d3291437		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12EA 8680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.