Malicious PDF — malware analysis report

Static analysis result for SHA-256 f0fe5310a1d7a1ed…

MALICIOUS

PDF

51.1 KB Authoring application: LibreOffice Draw
MD5: 058379ec72c92a45d05b5dd700bd49ee SHA-1: 34f5f05a5244c8678936dceec8a89c6a6d260f99 SHA-256: f0fe5310a1d7a1ed92649cc61f119c54fc5f58cd891b3ac8c671ecd1e41ce549
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as flagged by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly support the malicious verdict. No scripts were extracted from this sample, but the extensive URL list suggests a phishing or content distribution attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nickelplatebarandgrill.com/uploads/1/3/0/8/130813903/jagen-buvureka-tuvifebikuloli.pdf
    • http://minnesotakindnessproject.org/uploads/1/3/0/5/130550951/zidemefoledebut-jemasik.pdf
    • http://naushnik.space/uploads/1/3/0/7/130776106/fcee7deb2e79e98.pdf
    • http://digitalsqueak.com/uploads/1/3/0/7/130775567/17c5c36e56ab0.pdf
    • http://desatascosbadalona.net/uploads/1/3/0/7/130740256/dubatofutuvuf_fukubuduvazinu.pdf
    • http://rptservices.org/uploads/1/3/0/6/130640063/vesoxiliguxuzizomu.pdf
    • http://bellevueboysswive.com/uploads/1/3/0/8/130873852/1416013.pdf
    • http://theyearsbestwedding.com/uploads/1/3/0/6/130639865/lagawimev-felibor-varugegela.pdf
    • http://cafecancun.us/uploads/1/3/0/6/130604752/garesenu.pdf
    • http://residencebaiaverde.com/uploads/1/3/0/3/130313700/c8d442e7d3f475.pdf
    • http://professionalbeveiliging.nl/uploads/1/3/0/5/130542894/3430311.pdf
    • http://josephdanielglobal.net/uploads/1/3/0/7/130775746/totuwevetixiji.pdf
    • http://manoliskaratarakis.website/uploads/1/3/0/8/130815437/sevofo.pdf
    • http://cheftotablecatering.com/uploads/1/3/0/2/130288379/bozub.pdf
    • http://mpala.net/uploads/1/3/0/7/130739343/d902bfa.pdf
    • http://homegrownent.net/uploads/1/3/0/8/130813362/2468405.pdf
    • http://aylestoneallotments.org/uploads/1/3/0/4/130488401/c179eb.pdf
    • http://2020blue.org/uploads/1/3/0/4/130489029/130489029.html#acalasia+secundaria+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006794.bin
fc301aa3686470355f796c35dcce7d712e683d152ebcc01a47e2e26c0bc821e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6794 11080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.