Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b8eafb51b6a7be6…

MALICIOUS

PDF

61.7 KB Authoring application: SWFTools
MD5: f04b3a4e56936ab049c874ddf5794074 SHA-1: bab24be3a9694d985a789ba0e45a7de5ce0b4607 SHA-256: 0b8eafb51b6a7be65da711792f715c657b929fac2e924f62ad7dcaac9aad86f0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, exhibiting characteristics of a link farm. The document body contains numerous embedded URLs pointing to other PDF files, suggesting a tactic to distribute content or potentially host further malicious payloads. The primary attack pattern involves leveraging a large number of external links, likely for SEO poisoning or to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.goldendaysfarm.com/uploads/1/3/0/4/130476200/jugopufelomoxe_paloto_vuwumuzuro_zakudisibe.pdf
    • http://mta-sts.mailserver.crossfittayho.com/uploads/1/3/0/3/130313179/5207692.pdf
    • http://ellandbe.com/uploads/1/3/0/6/130620293/wavokuw_larevu_minumexugamefa_maponudabuxuv.pdf
    • http://valourcoaching.co.uk/uploads/1/3/0/6/130639337/dufuvevevubed.pdf
    • http://www.newplayoutlet.com/uploads/1/3/0/5/130589444/misidida.pdf
    • http://zaraservice.com/uploads/1/3/0/2/130287279/4634449.pdf
    • http://batucando.nl/uploads/1/3/0/5/130590353/xemonupovonitu-zuzimitavapapur-tikavuz-vigimavija.pdf
    • http://samsungservicecenter.net/uploads/1/3/0/8/130814295/bamarep.pdf
    • http://stcolumbanusalumni.org/uploads/1/3/0/2/130270762/4664084.pdf
    • http://experiencetrailhead.com/uploads/1/3/0/9/130969146/156105.pdf
    • http://juliespetals.com/uploads/1/3/0/2/130289509/d459be9a9.pdf
    • http://needhamrailtrail.com/uploads/1/3/0/7/130775623/1816fc5.pdf
    • http://nkbcapital.com/uploads/1/3/0/5/130590338/4727536.pdf
    • http://thedecluttered.life/uploads/1/3/0/8/130874361/bimojukebudavovipaba.pdf
    • http://nolababybump.net/uploads/1/3/0/6/130639508/bajebedowegaxu_gemepolisoxix.pdf
    • http://mektephan.net/uploads/1/3/0/6/130639544/3267557.pdf
    • http://jackpassions.com/uploads/1/3/0/6/130604823/6520347.pdf
    • http://summercollege4kids.org/uploads/1/3/0/7/130775701/0871630.pdf
    • http://botanicahomebody.com/uploads/1/3/0/7/130775626/felinan.pdf
    • http://yoseph.com/uploads/1/3/0/7/130740092/giwefela_vezezonusita_bonewosiz.pdf
    • http://mi6app.com/uploads/1/3/0/5/130588729/8400873.pdf
    • http://2psp.fr/uploads/1/3/0/4/130483653/2162821.pdf
    • http://host250.carmichaelnl.com/uploads/1/3/0/2/130289333/130289333.html#recurrent+pneumonia+in+child+ppt
    • http://www.thdl.org/http://www.thdl.org/Tibetan
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.htmlTibetan
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010a3.bin
3e9e9dd3dd08d87061814740b4e400808c5865b1b88d7694deac6678eaf4a2c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A3 9052 bytes
font_01_sfnt_off000089fe.bin
e6ef1070fe110e09fdf6bef938d0dd901ba4047105bbf626610727e05d38d2aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x89FE 8976 bytes
font_02_sfnt_off00009b35.bin
c834cfc94954a8630e1e3b17346d4d1c9b9636b7080d5378a78b1d64d245fe31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B35 2296 bytes
font_03_sfnt_off0000a4d9.bin
e2a609504f31aba74360c8f97aead3d8f97c76e888a653261413c8bef59e3205		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4D9 2884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.