Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfa2a75e7cbdd7a2…

MALICIOUS

PDF

39.0 KB Authoring application: LibreOffice Draw
MD5: bfd70a6880e1c0db8fea856ed1d31984 SHA-1: 0e68bf58a41e26e3e5ca7307a52f8b7431811d76 SHA-256: bfa2a75e7cbdd7a22d88446e4a72ea170dd6c6e43866695b0cdb5afa46f898b5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to other PDF files. This indicates a likely phishing or malware distribution campaign. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports this assessment. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://danyellscakesandcreations.com/uploads/1/3/0/6/130604940/7c128.pdf
    • http://beaconbeerco.com/uploads/1/3/0/6/130605426/1312232.pdf
    • http://mykdphotography.com/uploads/1/3/0/6/130639258/robiviz-devema-ginobititelasa.pdf
    • http://becomeacontractor.com/uploads/1/3/0/2/130270738/180773f78618ddc.pdf
    • http://adams-aardvarks.com/uploads/1/3/0/6/130604548/899c3d27c5.pdf
    • http://firesidetech.net/uploads/1/3/0/6/130604550/bemapijudafimexezo.pdf
    • http://simplybiblestories.net/uploads/1/3/0/6/130640200/masabumu.pdf
    • http://rtbartist.com/uploads/1/3/0/6/130621248/jijidavis.pdf
    • http://sacredsantafe.org/uploads/1/3/0/6/130605314/fegejakazelukepoguz.pdf
    • http://1577kenewastreet.com/uploads/1/3/0/8/130813913/wijid.pdf
    • http://n501bd.com/uploads/1/3/0/5/130539866/3068e940834aa1.pdf
    • http://ameskornerstore.com/uploads/1/3/0/7/130775380/ac9bba3129fd.pdf
    • http://nativeloomsb.weebly.com/uploads/1/3/0/5/130551607/1198561.pdf
    • http://boylepublichealth.com/uploads/1/3/0/3/130379461/0335417ce.pdf
    • http://adoptme.info/uploads/1/3/0/6/130621137/130621137.html#variational+autoencoder+anomaly+detection+keras
    • http://simplybiblestories.net/uploads/1/3/0/6/130640200

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003eb3.bin
8078277e69f7d62737d8a55d66361fa202d5f79bfee2c4c66e9f1d2c1ee34fe9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3EB3 8032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.