Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5dc298fd5c293bc…

MALICIOUS

PDF

40.2 KB Authoring application: OpenOffice Draw
MD5: bdefda2311ced849ec79d1b2c54c96e7 SHA-1: 7c20e2a09048f5634e275c1e463ede3bb0df4f26 SHA-256: e5dc298fd5c293bc797a7b243c8e037926ef9bf7f85d9eedcf605cf21cc1ff09
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to manipulate search engine results or distribute malicious content. The ClamAV detection and ML classifier further support its malicious nature. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://distantjove.com/uploads/1/3/0/2/130273982/b25504d8.pdf
    • http://aerogreensolutions.com/uploads/1/3/0/2/130289311/6469230.pdf
    • http://cherishedrubies.com/uploads/1/3/0/4/130488749/1298361.pdf
    • http://bcreo.com/uploads/1/3/0/7/130738646/tiketa.pdf
    • http://atcalloys.com/uploads/1/3/0/3/130324386/derejowafet_luniwana_nuwewas_ruroxuzedezu.pdf
    • http://code-penguin.com/uploads/1/3/0/7/130739852/fugopinomepu.pdf
    • http://nicacov.org/uploads/1/3/0/7/130739129/zalodawirifiti.pdf
    • http://streetbrunch.com/uploads/1/3/0/4/130488322/fovudulak-divalekujimal.pdf
    • http://mafer-alex.com/uploads/1/3/0/4/130435982/463231.pdf
    • http://misfitsagony.com/uploads/1/3/0/7/130775724/ragofazuve-rogota-mudedefifud.pdf
    • http://evans.pizza/uploads/1/3/0/7/130775762/67a8a6e3e5b.pdf
    • http://northeastbathrooms.co.uk/uploads/1/3/0/5/130551116/848894.pdf
    • http://cbacreditcard.com/uploads/1/3/0/6/130604536/xekobiponeduk-sebaverilu-purodiloz.pdf
    • http://nlpcoursesmelbourne.com/uploads/1/3/0/4/130436172/3352d4745c1fe.pdf
    • http://blogg.allegro-as.no/uploads/1/3/0/3/130379150/8416029.pdf
    • http://signals.email/uploads/1/3/0/7/130739318/d2a2a810f595.pdf
    • http://americanmusicnews.com/uploads/1/3/0/6/130639216/benazatow_lazuvikaninusu_juwub_favijinuzoliwoz.pdf
    • http://sharonramey.com/uploads/1/3/0/6/130604129/8900138.pdf
    • http://patometry.com/uploads/1/3/0/6/130639809/728085e9fa8.pdf
    • http://nofbx.net/uploads/1/3/0/7/130739535/8787966.pdf
    • http://cashmerecanada.ca/uploads/1/3/0/6/130620251/3e2f54c776.pdf
    • http://3feetforpete.org/uploads/1/3/0/4/130475979/gowesufatugede.pdf
    • http://vps7-internal-admins.pleasingfood.com/uploads/1/3/0/8/130813489/130813489.html#diet+plan+for+o+plus+blood+type

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003b6a.bin
ddc62d1f512059436a1f224d95eb9595979860b5c9e7062279a159ae3e49675b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B6A 8048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.