Malicious PDF — malware analysis report

Static analysis result for SHA-256 c141fbb466cd76eb…

MALICIOUS

PDF

50.5 KB Authoring application: LibreOffice Draw
MD5: e96a79608baa9af4b25c746c7161047e SHA-1: 17db2541277ce537ef0c6faf669ba6b906cb955f SHA-256: c141fbb466cd76eba8cecc0964b9e586f7fd546c48ca2908e9b25f3d42790729
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This technique is commonly used to distribute malicious content or conduct phishing attacks by overwhelming search engine indexes or directing users to malicious sites. The ML classifier and ClamAV detection further support the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://morningsunshinebath.com/uploads/1/3/0/5/130543158/rekojizogo.pdf
    • http://cleaningservicesresidentialcommercial.com/uploads/1/3/0/6/130620391/9ef724d.pdf
    • http://87dynamics.com/uploads/1/3/0/6/130621431/211d7.pdf
    • http://myguildplace.com/uploads/1/3/0/6/130620691/97ae3bdc2.pdf
    • http://twangcello.com/uploads/1/3/0/9/130969685/2eb1b69276d9507.pdf
    • http://prixfixe.aprilcookstonight.com/uploads/1/3/0/6/130620628/budupazeso_farimotazopor_rasufafa.pdf
    • http://monicalarsen.net/uploads/1/3/0/2/130272232/luxotoxorotamog.pdf
    • http://www.immanuellutheran.org.au/uploads/1/3/0/6/130604693/1313699.pdf
    • http://ptecsys.com/uploads/1/3/0/6/130604002/9876976.pdf
    • http://americanmusicnews.com/uploads/1/3/0/7/130740164/fikun_wuradixofoti.pdf
    • http://www.camulastyles.com/uploads/1/3/0/5/130589048/cb560.pdf
    • http://780.bpmtc.com/uploads/1/3/0/4/130488179/130488179.html#derive+3+equation+of+motion+by+calculus+method

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004549.bin
17383ef0ffc47cbb93418b8fb2077315a65d02529eabcf287f2e774c63fd4201		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4549 4056 bytes
font_01_sfnt_off0000529a.bin
e750fc74c1d4cfe9d39ace38833af7078a297f688c9d0261eb5c7cd25c46c64f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x529A 16396 bytes
font_02_sfnt_off00006bcc.bin
346850b2c6f7b1f05e73dfb6ef5dc7072491bb34cd115109db65461e259f8951		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BCC 8864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.