Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c91754fbb372cf4…

MALICIOUS

PDF

40.5 KB Authoring application: LibreOffice Draw
MD5: 8e5f7b3c844af1ae465842287f23a4a1 SHA-1: be01c4ee93c46d019cd3db83171299f92facf9a0 SHA-256: 0c91754fbb372cf408ff4ab35d2f1b40aa0a27e543ed3b90d2ac2cbe59543415
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded links to external PDF documents, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to manipulate search engine results or distribute additional malicious content. While no scripts were explicitly extracted, the ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://desatascosviladecans.com/uploads/1/3/0/5/130544446/momuje.pdf
    • http://rencommunicatons.com/uploads/1/3/0/7/130775876/notowujo.pdf
    • http://tillercap.com/uploads/1/3/0/5/130540304/9805731.pdf
    • http://nmtitlesolutions.com/uploads/1/3/0/7/130739006/febid.pdf
    • http://surfbeat.com/uploads/1/3/0/6/130639175/3120936.pdf
    • http://heppnereng.com/uploads/1/3/0/6/130621917/fiwivawesega.pdf
    • http://quirkgear.com/uploads/1/3/0/4/130476074/vuvumorumoti_rowosov_ganeri.pdf
    • http://ethicstrainingresources.org/uploads/1/3/0/6/130639739/bimami_ragunin.pdf
    • http://bellearthenna.net/uploads/1/3/0/4/130476744/6520195.pdf
    • http://edenliterary.com/uploads/1/3/0/6/130620622/vefofogaguluf.pdf
    • http://dfflooring.net/uploads/1/3/0/8/130874299/1004866.pdf
    • http://deletecoinbase.com/uploads/1/3/0/7/130775627/jojabewavabisof_duwezox_zuwigefajudum.pdf
    • http://redshiftparts.net/uploads/1/3/0/7/130775510/f7fa80c5c16a8ec.pdf
    • http://freelas.net/uploads/1/3/0/7/130738893/jituxinukomil-zozetodog.pdf
    • http://mail.psychotherapie-grupe.de/uploads/1/3/0/6/130620482/3372091.pdf
    • http://apartmentsatoakbrookcourt.com/uploads/1/3/0/7/130738723/bibara.pdf
    • http://avenmoran.com/uploads/1/3/0/3/130313114/vanuxaxadimeda.pdf
    • http://tonygallippi.com/uploads/1/3/0/6/130604803/volus.pdf
    • http://www.mumsremedy.com/uploads/1/3/0/7/130740140/lelegizelebapol_sebavuterum_vugezudepavode_vezitovi.pdf
    • http://mybenstratton.com/uploads/1/3/0/7/130739750/jikuwojam_dasipelunuk_sudimi.pdf
    • http://meskeel.blog/uploads/1/3/0/5/130542734/926472.pdf
    • http://your-aroma.co.uk/uploads/1/3/0/6/130621330/a5ee8a82ed4.pdf
    • http://eshibofengyunzuqiu.br3h.com/uploads/1/3/0/3/130324005/130324005.html#national+museum+of+ethnology+minpaku+osaka
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000022a5.bin
ef005437b508321115eb88a2d98bca6d3844975e97ba7365cb585684164d830e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22A5 7716 bytes
font_01_sfnt_off00003d46.bin
924cc88c433480bc4d71dd10597a51659a3cc4cd21167774e904e29674488f4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D46 7580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.