Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf1a0b8d2f86a34f…

MALICIOUS

PDF

40.1 KB Authoring application: LibreOffice
MD5: c22fd6ef1dcc07d31563c15732e30688 SHA-1: 9a4316e5f4d37c2f4a8ef2aeb141177228d8de2f SHA-256: bf1a0b8d2f86a34fd71ace3a47ea0bb25691f239a1550b0b26c3f777f4923892
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of embedded URLs pointing to other PDF files, indicative of a link farm used to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the PDF_SEO_LINK_FARM heuristic strongly suggest a phishing or scam campaign. The document body, while containing text about a resignation letter, is heavily obfuscated and likely serves as a lure to encourage users to click the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://digital-chicago.net/uploads/1/3/0/4/130435972/04cbf82.pdf
    • http://domoliseo.com/uploads/1/3/0/5/130542972/1087374.pdf
    • http://my-bwk.com/uploads/1/3/0/5/130588457/masapexoxafexe.pdf
    • http://simplinow.tech/uploads/1/3/0/6/130620185/f56d57eefd4cb07.pdf
    • http://okrecyclingsolutions.com/uploads/1/3/0/5/130550752/jilinemozifofemaz.pdf
    • http://moco-bay.com/uploads/1/3/0/2/130274024/dazuwugiju-berovujiwuna-tawomu-mudile.pdf
    • http://www.dragonsbreathmagictapping.co.uk/uploads/1/3/0/8/130813887/jeludoxaxi.pdf
    • http://www.julyyang.com/uploads/1/3/0/5/130588668/barekep_tuzovaz_nazadunatimuki.pdf
    • http://bayviewblast.com/uploads/1/3/0/2/130288455/dokudakiso.pdf
    • http://acwri.org/uploads/1/3/0/4/130477135/fogidajefetobijame.pdf
    • http://vollair.com/uploads/1/3/0/7/130739719/2864272.pdf
    • http://412catawba.com/uploads/1/3/0/6/130604014/2677516.pdf
    • http://kylealpha.com/uploads/1/3/0/7/130775558/2312642.pdf
    • http://www.lion-self-storage.co.uk/uploads/1/3/0/6/130639611/nuvaxodub.pdf
    • http://home1150galenast.com/uploads/1/3/0/5/130542718/nejafibepafurojoxux.pdf
    • http://armandohome.com/uploads/1/3/0/2/130289731/siwozuzod_wimoneje.pdf
    • http://ventureboot.com/uploads/1/3/0/4/130436307/sekij.pdf
    • http://creepyen.com/uploads/1/3/0/5/130590312/tusabazese-rebuvip.pdf
    • http://chesterfieldhistorical.org/uploads/1/3/0/8/130874167/jadirela.pdf
    • http://stillwaterfiretower.com/uploads/1/3/0/8/130813453/74267.pdf
    • http://foreversay.com/uploads/1/3/0/7/130739311/vanikusebaw.pdf
    • http://kokopelliskorner.net/uploads/1/3/0/2/130271081/5889540.pdf
    • http://smpoindexterllc.com/uploads/1/3/0/6/130604690/zamujagiwaxe-ruteb.pdf
    • http://babyak.net/uploads/1/3/0/7/130775583/disuzis.pdf
    • http://www.theovercomersblueprint.com/uploads/1/3/0/4/130493389/130493389.html#resignation+letter+for+another+job+offer+sample
    • http://bayviewblast.com/uploads/1/3/0/2

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003809.bin
e41e734f9d5bfa3d5fed24691e19aa81981152e82af74650ade98f02faea3800		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3809 8360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.