Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc39daf46f72d70b…

MALICIOUS

PDF

138.3 KB Authoring application: LibreOffice Draw
MD5: d91e34d654050b0c7a828fea7773fe16 SHA-1: 8368659180a0d8924e6eda27af130e4d1495141d SHA-256: cc39daf46f72d70b1620a738e8402185d3f03f49a3af0dfaf31d92a348b788f3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical finding for a large number of embedded external PDF links, suggesting a link farm. The ML classifier also strongly indicated maliciousness. The embedded URLs, such as http://christine-simmons.com/uploads/1/3/0/7/130776147/vikezubuwe.pdf, are likely used to redirect users to phishing sites or download further malware. The document body contains garbled text and some of the same URLs, reinforcing the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://christine-simmons.com/uploads/1/3/0/7/130776147/vikezubuwe.pdf
    • http://careersinmentalhealth.com/uploads/1/3/0/6/130620438/lofosome.pdf
    • http://ferristechhelp.com.au/uploads/1/3/0/5/130588280/jumipi.pdf
    • http://mpunlimited.com/uploads/1/3/0/4/130435785/rapibozagosividoza.pdf
    • http://lawpixel.com/uploads/1/3/0/3/130313218/zekam-mogak-zaratibu.pdf
    • http://gidefaut.com/uploads/1/3/0/5/130545957/sefifebejef-buvadaw.pdf
    • http://studio3d.co.il/uploads/1/3/0/3/130313067/siguseboxekatat.pdf
    • http://www.fixedearth.com/uploads/1/3/0/4/130476248/tukapotorexoji_xixarijajuneg_vipazapaw.pdf
    • http://brownfencing.com/uploads/1/3/0/2/130289436/fdc66382e8.pdf
    • http://thehangaruk.co.uk/uploads/1/3/0/5/130539446/5110863.pdf
    • http://hostmaster.ruminahui.de/uploads/1/3/0/4/130436050/4863721.pdf
    • http://swipebible.com/uploads/1/3/0/6/130621947/sudibate_xaruje.pdf
    • http://mta-sts.mx.whatthemonday.com/uploads/1/3/0/8/130814088/danivuru.pdf
    • http://owngov.net/uploads/1/3/0/3/130313809/9334280.pdf
    • http://narrowbandingcoordination.com/uploads/1/3/0/6/130605448/misuxukugunedup.pdf
    • http://mosaicvoices.net/uploads/1/3/0/5/130540504/suwaxojixononide.pdf
    • http://daycareinsanrafael.com/uploads/1/3/0/3/130313700/2605629.pdf
    • http://74-123-75-26.mgwnet.com/uploads/1/3/0/5/130588572/130588572.html#infective+endocarditis+treatment+idsa

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001581.bin
d9bf6b7d3001913a200ca1978b0cd4a37efe7273af055334786a4de1c221c4cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1581 11184 bytes
font_01_sfnt_off00015785.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15785 2864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.