Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ae3e2c917ccbf8b…

MALICIOUS

PDF

44.5 KB Authoring application: OpenOffice Draw
MD5: d0a938158c485bc406a7e48930caa261 SHA-1: cf2e96c4ccd1f931d8091e3223ce1bc1222edcb0 SHA-256: 0ae3e2c917ccbf8bcef25a352891ff360a246b68d61a817273fa3987d0570a85
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, indicating it functions as a link farm. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, suggesting the PDF is designed to drive traffic to these external sites. The ML classifier and ClamAV detection further confirm its malicious nature, likely as a dropper or redirector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7963471-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7963471-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fiwogu.habana-moscu.com/uploads/2020/01/29/kapikafedejunotuvi.pdf
    • http://periscopedigital.com.au/uploads/1/3/0/6/130604445/nibexapetumakanidob.pdf
    • http://nyunderground.info/uploads/1/3/0/4/130476068/98331ccb12.pdf
    • http://my-life-juice.net/uploads/1/3/0/5/130542865/c112add.pdf
    • http://monagarciamusic.com/uploads/1/3/0/4/130476348/8707723.pdf
    • http://annaravenscroft.com/uploads/1/3/0/5/130588403/xarididanep.pdf
    • http://browenvycincy.com/uploads/1/3/0/2/130271009/boduz_kamifilafigate_bapalilazida_zaderuzinu.pdf
    • http://ormansite.com/uploads/1/3/0/7/130739053/9652057.pdf
    • http://palmcoastflautorepair.com/uploads/1/3/0/5/130547884/f30229c185de.pdf
    • http://exolot-riba5.site/uploads/1/3/0/6/130620561/resijuvox.pdf
    • http://springbrookaerospace.com/uploads/1/3/0/4/130435546/fb124d6349.pdf
    • http://doodledesignsandrhymes.com/uploads/1/3/0/2/130289532/0b9328aaa1b0e.pdf
    • http://rochecenter.org/uploads/1/3/0/2/130270889/130270889.html#appalto+scorporato+informazioni+al+cse

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001582.bin
94d3119c4818b90a0db89c9d124d181152d11e181b25f6b10add680291e876bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1582 9196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.