Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3f8ebaaab8682d7…

MALICIOUS

PDF

135.0 KB Authoring application: LibreOffice Draw
MD5: 2f1809758c51d12673e3e586aab2899b SHA-1: a2ddf4aa742afdfc055d0fb95aa6b0ed5dc79c20 SHA-256: d3f8ebaaab8682d7da54a69bd7046d7ccc2927d11e0ac113f5536935ad0de2a3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, which is a common tactic for phishing or distributing malware. The ML classifier and ClamAV detection further support its malicious nature. The document body, despite being partially corrupted, mentions 'Argentina world cup 2018 squad announcement', suggesting a lure to attract user clicks on the numerous provided URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9702

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://northeastgridironpromotions.com/uploads/1/3/0/6/130620202/6172d71b0.pdf
    • http://pkthaicuisine.com/uploads/1/3/0/4/130476065/4c58e9f.pdf
    • http://partyofthecenter.org/uploads/1/3/0/4/130435622/ruzelake.pdf
    • http://zirowikida.iclaudia.online/uploads/2020/01/28/2577222.pdf
    • http://nrsmallgroups.com/uploads/1/3/0/5/130543006/nogafuwarilo_vapefazubije.pdf
    • http://harveyjettmusic.com/uploads/1/3/0/5/130540824/fafevomaxowe_bekowe.pdf
    • http://nativeamericanfluteshop.com/uploads/1/3/0/4/130483230/xurolaj.pdf
    • http://podollangpis.devsite-1.com/uploads/1/3/0/5/130590431/130590431.html#argentina+world+cup+2018+squad+announcement

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001696.bin
62805a7aa2e889b6b33fe5370a031a64a64255836d5e05b36599a153c9a07198		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1696 19700 bytes
font_01_sfnt_off0000700a.bin
932937c80ff6956f6fc37b67d8d781438a1d6822b2c34dac8c8ad421012bf806		 pdf-font-stream PDF embedded font (sfnt) at offset 0x700A 4360 bytes
font_02_sfnt_off000128d0.bin
84c9f156e767cdf0ef3182bba608100b7567d434608bb9b15951ca56abd51807		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128D0 17932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.