Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7b9c93cbab1cbba…

MALICIOUS

PDF

38.0 KB Authoring application: OpenOffice Draw
MD5: 0d8e402e54de3f23cc33abced5156c1c SHA-1: 290319935d0f29315310d8d14442c31b276857a9 SHA-256: e7b9c93cbab1cbbae355774f112beadfc42068e807650c791f6dc2992ae558ef
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. This indicates a likely attempt to redirect users to malicious content, such as phishing pages or malware download sites. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports the malicious intent. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nocturnewoodworks.com/uploads/1/3/0/6/130621988/b5335.pdf
    • http://qwfan.com/uploads/1/3/0/6/130639241/b332583caa.pdf
    • http://marcellawatson.com/uploads/1/3/0/6/130620979/8ece51d8e5db.pdf
    • http://ivyhutchison.com/uploads/1/3/0/4/130489253/7499fa2ca0.pdf
    • http://rifugiovallegrande.services/uploads/1/3/0/8/130874053/235bd29a.pdf
    • http://www.rockinglassstudio.com/uploads/1/3/0/6/130639980/mimulajit_vovotikusozune_fudekodox.pdf
    • http://travelwithlarae.com/uploads/1/3/0/2/130272101/bijidep.pdf
    • http://eaugur.com/uploads/1/3/0/5/130588830/4e29fa8fcdd23.pdf
    • http://www.dosdiablos.net/uploads/1/3/0/2/130289774/perujalevu.pdf
    • http://www.gotoclinical.com/uploads/1/3/0/8/130813526/52728fd58.pdf
    • http://solacesolutions.org/uploads/1/3/0/8/130874583/wokitikunajasax.pdf
    • http://eganpropertysolutions.com/uploads/1/3/0/7/130776661/2c0f3345a4c7e.pdf
    • http://gregoryfanning.com/uploads/1/3/0/7/130775803/8862677.pdf
    • http://thescotchapp.com/uploads/1/3/0/6/130604601/pepelujuwebojiw.pdf
    • http://willbebrave.com/uploads/1/3/0/2/130274166/gupeditunomi-mawimagax-wozamonakim.pdf
    • http://official-admiralyoshi.com/uploads/1/3/0/6/130621751/dawidejegivijigivap.pdf
    • http://www.patriotssupportingtracywarriors.org/uploads/1/3/0/4/130476152/1696657.pdf
    • http://agapa.net/uploads/1/3/0/7/130740627/tijaratuj_jixaroxiv_vabof_fotatoka.pdf
    • http://metropolitote.com/uploads/1/3/0/6/130622038/26c7df0.pdf
    • http://retiredmind.net/uploads/1/3/0/7/130740625/86f5bc299d5aa8.pdf
    • http://jonas-family.rominastiebenphotography.com/uploads/1/3/0/4/130436458/130436458.html#definicion+de+alcohol+segun+la+oms
    • http://gregoryfanning.com/uploads/1/3/0/7/13077580

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003487.bin
6bf6b1a417dc6e2a0f5b3090161e4ac3620a3171b62e9621e6a7a3b5cbe3b190		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3487 8628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.