Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c59895c56e0c6a4…

MALICIOUS

PDF

137.0 KB Authoring application: OpenOffice.org
MD5: 1c7c76c0db6c7898d7b40d88c86d7e79 SHA-1: ab4cb2130faa2aa13bc263a28a2c4a497c49c2d7 SHA-256: 0c59895c56e0c6a4771bfa2a29b09ced07fc490a98eaaa6a45a06f78daf14367
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which point to other PDF files, indicating a link farm designed for SEO manipulation or to host malicious content. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly suggests the document's content is intended to deceive users with fake lottery or parcel delivery schemes. The ClamAV detection and ML classifier further confirm its malicious nature, likely serving as a lure for further malicious downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bozemanradiant.com/uploads/1/3/0/4/130483210/munugosodos.pdf
    • http://purl.one/uploads/1/3/0/2/130273798/bea190269857b.pdf
    • http://mdcablingservice.com/uploads/1/3/0/5/130589385/4292197.pdf
    • http://nbmgonline.com/uploads/1/3/0/7/130739437/0cdd6b321b22250.pdf
    • http://mx.circlecitycrystals.com/uploads/1/3/0/3/130313585/7017970.pdf
    • http://monthlytights.net/uploads/1/3/0/6/130621938/5358775.pdf
    • http://urbanvillagefitness.com/uploads/1/3/0/5/130541846/d24b2949c724.pdf
    • http://bettabowls.com/uploads/1/3/0/7/130775737/pebogepodanudoke.pdf
    • http://salenasantibanez.org/uploads/1/3/0/6/130640101/xoxadoxajakis-kofaboko-xuvepamubukeg-visixuxubev.pdf
    • http://swellbathrooms.com/uploads/1/3/0/6/130621483/natawovivesugin_narenukelefal_wusugi.pdf
    • http://madeinvenicefilm.net/uploads/1/3/0/4/130490151/9214731.pdf
    • http://infusionsafety.com/uploads/1/3/0/4/130475994/jemefexegokatebif.pdf
    • http://a1638037xstreamtravel.xsideas.com/uploads/1/3/0/5/130552084/130552084.html#netbook+acer+aspire+one+usado
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002df2.bin
fd6f36eced7cf6c737da1aef74c8e9cd877e397c1239c63c5f2843bdfbfe5f87		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DF2 12056 bytes
font_01_sfnt_off0000e751.bin
2563807223d686b98c00555c583c39a0d8e0d5539b1537586a5d9d14e57bf7bf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE751 2696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.