Malicious PDF — malware analysis report

Static analysis result for SHA-256 ddc22623a58ff88a…

MALICIOUS

PDF

55.1 KB Authoring application: LibreOffice
MD5: d41155491733674eda35ff59f3e852eb SHA-1: effe5b637ad274605872406c711cba0a51ea858a SHA-256: ddc22623a58ff88a3fa74de4aec2bd0d850b7b05366a7c8750725be4768b1a49
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also flag this as malicious phishing content. The embedded URLs likely lead to further malicious content or exploits. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://zebsvedlund.com/uploads/1/3/0/2/130292098/d16d6c.pdf
    • http://astrots.com/uploads/1/3/0/5/130589045/24b51b2b.pdf
    • http://elpcarpetcleaners.com/uploads/1/3/0/2/130270934/tegapubozawutovuw.pdf
    • https://vufomowukabatij.weebly.com/uploads/1/3/0/4/130488512/3daf7ab7ad3d2f7.pdf
    • http://thegoldenstateacademyschoolofspeechanddebate.com/uploads/1/3/0/6/130604903/6067427.pdf
    • http://hotsipa.com/uploads/1/3/0/6/130620902/6819497.pdf
    • http://mijnbiologie.weebly.com/uploads/1/3/0/5/130540211/jadasomoko.pdf
    • http://rak.love-farma.net/uploads/2020/01/28/befugibiwela.pdf
    • http://kefofekawa.bslg.ru/uploads/2020/01/28/fenigagodotinu.pdf
    • http://brundikoutek.weebly.com/uploads/1/3/0/6/130639217/xupozibilelanojofa.pdf
    • https://radozugenapu.weebly.com/uploads/1/3/0/3/130323594/3494465.pdf
    • http://coachinginyourcloset.com/uploads/1/3/0/3/130313585/5a0b5da0e7e.pdf
    • http://krankengymnastik-steglitz.de/uploads/1/3/0/5/130539795/3641276.pdf
    • http://themaacfitness.com/uploads/1/3/0/4/130477414/9790270.pdf
    • http://mrstoombs2ndgrade.weebly.com/uploads/1/3/0/5/130588895/2114845.pdf
    • http://mrmojo.com.br/uploads/1/3/0/3/130313700/rinanekeberuz_bikafi.pdf
    • http://frackfreefoothills.org/uploads/1/3/0/6/130620962/826ba.pdf
    • http://wodimo.service-dnr.ru/uploads/2020/01/27/8536067.pdf
    • http://timejulora.belvit.by/uploads/2020/01/28/rigefaxazafed-tofagibajapub-buxun.pdf
    • http://myloveclub.ru/uploads/2020/01/27/0c2e9c7adc.pdf
    • https://zexupimifosirof.weebly.com/uploads/1/3/0/5/130543476/f9d7b2e.pdf
    • http://gaxukagabe.psk-es.ru/uploads/2020/01/27/d428b634528.pdf
    • http://troitsa-ld.ru/uploads/2020/01/28/e9e5c0da05e.pdf
    • http://youandyourcareer.org/uploads/1/3/0/5/130589393/12bef5b638ce.pdf
    • http://kkmediation.com/uploads/1/3/0/6/130603904/4332582.pdf
    • http://reliancemartialarts.com/uploads/1/3/0/6/130620456/130620456.html#simple+interest+and+compound+interest+all+formulas
    • http://mrstoombs2ndg

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001209.bin
dcf2439b40cbcf11dc6b4aee2069210581ca61b9589919db4812beede5447ee4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1209 9676 bytes
font_01_sfnt_off00009078.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9078 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.