Malicious PDF — malware analysis report

Static analysis result for SHA-256 d76edd653a59b1bb…

MALICIOUS

PDF

41.4 KB Authoring application: LibreOffice Draw
MD5: 265fedd0b4c5cb76ff3d48e0b4c5c7a4 SHA-1: e38d99eab543b607f07db6f54c2974e13f09a3a0 SHA-256: d76edd653a59b1bb53b960d95e8353039804a8b191aae210abc89dd89bc93269
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 and the ML classifier output further support a malicious classification. The document body contains text related to 'Time card template access' and 'Excelchat', which may be used as a lure to encourage interaction with the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://michaelbthewriter.com/uploads/1/3/0/6/130604256/lilofumasig_befiwikunufupe.pdf
    • http://creationresearchontario.weebly.com/uploads/1/3/0/5/130551794/daxomobawa_fewevi_zikasinemevuk.pdf
    • http://xozovakib.plrsecretsclub.com/uploads/2020/01/27/kosikem-jijasamake.pdf
    • http://dolphinhouseclinic.weebly.com/uploads/1/3/0/5/130551625/9b2fab939ba34a.pdf
    • http://churoncalla.com/uploads/1/3/0/5/130590355/2746527.pdf
    • http://xari.cityglush11.icu/uploads/2020/01/29/binegawosojotabuwuno.pdf
    • http://matthewsingerucla.com/uploads/1/3/0/3/130313213/6832363.pdf
    • http://soundshopmsc.ru/uploads/2020/01/28/vujun-bekagerojofa-neniferezaripir.pdf
    • http://quotex.fr/uploads/1/3/0/6/130639076/c6eaf98b6034bf.pdf
    • http://leadsfb.xyz/uploads/2020/01/28/zavifibunagomulavu.pdf
    • http://nutrizionistagiuliaporcu.it/uploads/1/3/0/6/130620985/6f75d92.pdf
    • http://wolux.m6spotify.com/uploads/2020/01/29/pufimixeduz.pdf
    • http://vsjamoskva.ru/uploads/2020/01/28/1d744650bd34a70.pdf
    • http://acwri.org/uploads/1/3/0/6/130622089/7420201.pdf
    • http://bewateryogaandcoaching.com/uploads/1/3/0/3/130379612/9581115.pdf
    • http://christinabarsi.net/uploads/1/3/0/6/130620296/libitax.pdf
    • http://mindset-hypno.com/uploads/1/3/0/3/130323319/483360.pdf
    • http://ketojumi.anchevskaya.com/uploads/2020/01/28/8364554.pdf
    • http://drchristophersmith.net/uploads/1/3/0/6/130620172/4953896.pdf
    • http://comedianjordanjackson.com/uploads/1/3/0/5/130551457/6d696d.pdf
    • http://newtonanchorbar.co.uk/uploads/1/3/0/5/130588145/e90aa10e.pdf
    • http://ageinmyplace.net/uploads/1/3/0/6/130621132/4533399.pdf
    • http://delucaconsulting.se/uploads/1/3/0/5/130542860/lofikelod-desepotovugowel.pdf
    • http://drpatty.net/uploads/1/3/0/5/130551824/130551824.html#time+card+template+access

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001727.bin
87ad6b69171822677f5b4833e9b44e0cce003445eebc5d910bcf78930edfe0a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1727 8328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.