Malicious PDF — malware analysis report

Static analysis result for SHA-256 0736a5e347db56b5…

MALICIOUS

PDF

37.3 KB Authoring application: OpenOffice Draw
MD5: bb7a9dd93fe9affebe04ca9821b9387f SHA-1: 3a1bb5c332dfc4c614e7087ea6332961c762aabb SHA-256: 0736a5e347db56b59d37f20083d6528994a0ca9bcf44b2c1d8358aebf1f32cbe
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to manipulate search engine results or distribute additional malicious content. The ML classifier and ClamAV detection further support its malicious nature, classifying it as phishing-related malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sapmii.online/uploads/1/3/0/6/130604621/a3fe26b1.pdf
    • http://eloyjrojas.com/uploads/1/3/0/2/130289722/4322028.pdf
    • http://blinddoghaven.net/uploads/1/3/0/8/130874488/a486d4f759b37ee.pdf
    • http://www.myhappyeverydaylife.com/uploads/1/3/0/6/130604910/61bf930039.pdf
    • http://randakksstaging.com/uploads/1/3/0/6/130604778/mafufalarewuvutag.pdf
    • http://waterswindowcleaning.com/uploads/1/3/0/6/130603744/810282.pdf
    • http://southernparadisecatering.com/uploads/1/3/0/7/130739313/5e30133d8d5.pdf
    • http://msspadc.net/uploads/1/3/0/5/130589037/xabusipitavizoli.pdf
    • http://riciclometalli.it/uploads/1/3/0/7/130740054/faditetaluwuwu.pdf
    • http://teewit4grownups.com/uploads/1/3/0/6/130621435/xazaxijiwelinuz.pdf
    • http://seanaudleylaw.com/uploads/1/3/0/6/130620451/324dd62.pdf
    • http://rachelnurmiart.com/uploads/1/3/0/6/130621292/tebipinowa.pdf
    • http://serpboards.com/uploads/1/3/0/7/130739918/435fe0b363d.pdf
    • http://anabarragan.com/uploads/1/3/0/6/130620797/29bde30e0.pdf
    • http://konrn.com/uploads/1/3/0/3/130379347/80dd3ae17.pdf
    • http://host80.carmichaelnl.com/uploads/1/3/0/8/130874563/130874563.html#ambidextrous+leadership+theory
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c4f.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C4F 2600 bytes
font_01_sfnt_off000037d3.bin
817a41236cf252ca7e2d207fcaae36dc830d83d8b98ca3896374881fedf4d1d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37D3 7620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.