Malicious PDF — malware analysis report

Static analysis result for SHA-256 024a7cb44b523176…

MALICIOUS

PDF

56.5 KB Authoring application: OpenOffice Draw
MD5: f89affe0062401c8b48bd7073312d86a SHA-1: 43e2df76a787d95b7c92fc6a839aaa4b71f9e27d SHA-256: 024a7cb44b523176e53a199f030a5fa356a590f3b46797460f2db2dd5289f9d6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to potentially harmful content, possibly leveraging JavaScript for execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ofunatic.shop/uploads/1/3/0/5/130547515/a9723ca4482fd.pdf
    • http://priscilajamison.com/uploads/1/3/0/5/130538866/difineverove.pdf
    • http://mattbross.biz/uploads/1/3/0/3/130323593/foniwixokajidafigix.pdf
    • http://crystalroseco.com/uploads/1/3/0/2/130289453/juzonosezolep-xoguxapusosu.pdf
    • http://mselisewrites.com/uploads/1/3/0/7/130740060/877164fca8.pdf
    • http://customerfocusedlearning.com/uploads/1/3/0/8/130873973/6406563.pdf
    • http://barndoordecor.co/uploads/1/3/0/5/130590671/914231.pdf
    • http://www.weightlosssurgerycoaching.com/uploads/1/3/0/6/130621431/1266511.pdf
    • http://www.chichestersailing.com/uploads/1/3/0/2/130272232/kubulufefalobod.pdf
    • http://studentloandebtforums.com/uploads/1/3/0/7/130775156/dekupujesaw.pdf
    • http://smootherwaters.com/uploads/1/3/0/4/130488704/961ef729784.pdf
    • http://outpostnews.net/uploads/1/3/0/5/130590457/9654911.pdf
    • http://katafund.net/uploads/1/3/0/4/130488509/8b3a4764292da4.pdf
    • http://kris-ginadesigns.com/uploads/1/3/0/2/130270863/7716792.pdf
    • http://www.acsaver.net/uploads/1/3/0/8/130813860/tugefut_wesexu.pdf
    • http://equestriansupply.co.nz/uploads/1/3/0/5/130551554/a4a99c2.pdf
    • http://smallstuff.info/uploads/1/3/0/6/130621717/wuzevuner.pdf
    • http://starboardopportunitypartners.com/uploads/1/3/0/6/130621194/totowosatejifigozir.pdf
    • http://www.emeliejanssonfoto.com/uploads/1/3/0/6/130605475/lifazoditarep.pdf
    • http://berlin-sachsen-transport.com/uploads/1/3/0/3/130323485/c680e29a09.pdf
    • http://nothingtotriflewith.com/uploads/1/3/0/5/130589244/9738026.pdf
    • http://churrch.life/uploads/1/3/0/6/130639374/rupolefut_gusalapevu_gidigikikux_dovilapizev.pdf
    • http://cmma2017.info/uploads/1/3/0/7/130738629/gejaseg.pdf
    • http://backpainprofessor.com/uploads/1/3/0/6/130620423/03ab0646092.pdf
    • http://74-123-75-26.mgwnet.com/uploads/1/3/0/4/130476069/130476069.html#free+download+convert+pdf+to+word+software

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014d5.bin
780c93641f5314f7f2569c6965691db4a5795b337d6f7d96c3e94c9ae9b21e89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D5 8156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.