Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ed8186044fb25d9…

MALICIOUS

PDF

65.0 KB Authoring application: PDFBox
MD5: c338f1d3567b14c9e8705d89b3169a43 SHA-1: f319dca2f719f17b3dab255e35c17819d24ca721 SHA-256: 0ed8186044fb25d910d312b6656549f5f37970a03b2d89702da1a6f445e93eeb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded URLs, identified as a link farm, suggesting a phishing or malware distribution campaign. The ClamAV detection and ML classifier further support its malicious nature. While no scripts were explicitly extracted, the structure and embedded URLs indicate an attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://optimalhospicefoundation.org/uploads/1/3/0/6/130604173/ac558fb2.pdf
    • http://coldwatercollections.com/uploads/1/3/0/6/130621654/2510303.pdf
    • http://gamercharity.com/uploads/1/3/0/6/130621703/nijogarujisusosim.pdf
    • http://flintmage.com/uploads/1/3/0/5/130541445/penivar-jalibeduxudu-pumepunede.pdf
    • http://laughingduck.org/uploads/1/3/0/3/130323566/bigajizajejetumumeji.pdf
    • http://rockthedam.org/uploads/1/3/0/3/130379798/880001.pdf
    • http://sataunton.org/uploads/1/3/0/8/130814594/xefobuzovutenek.pdf
    • http://www.goodfreethings.com/uploads/1/3/0/6/130640232/84a0d1fc61ef49.pdf
    • http://uciesl.com/uploads/1/3/0/7/130775889/0a8e2c6.pdf
    • http://www.stableyardshops.co.uk/uploads/1/3/0/8/130873983/5b23753.pdf
    • http://slowgather.com/uploads/1/3/0/8/130873804/gejutewe.pdf
    • http://simdisplays.com/uploads/1/3/0/7/130738830/nuzisalarosukeg_xoratirorozubun_xolufoligeli.pdf
    • http://reallytees.com/uploads/1/3/0/4/130483895/bisonurepev.pdf
    • http://puffyshirts.life/uploads/1/3/0/4/130490036/jegosenabij-tezagasabarasej.pdf
    • http://aufstehen-gegen-linksfaschismus.org/uploads/1/3/0/8/130813536/golabudeweroxux.pdf
    • http://jimstack.net/uploads/1/3/0/2/130270832/7428363.pdf
    • http://valdineschroeder.com/uploads/1/3/0/4/130477083/7255606.pdf
    • http://unicornwriting.com/uploads/1/3/0/7/130738970/dinebuku_dajelu_pobunovi.pdf
    • http://sally-fox.com/uploads/1/3/0/7/130739500/4393973.pdf
    • http://nirvanatails.net/uploads/1/3/0/7/130739153/3496513.pdf
    • http://messianicmetis.ca/uploads/1/3/0/6/130605312/nidex.pdf
    • http://andyanddenise.com/uploads/1/3/0/3/130379415/vanenezop-falizivevisul.pdf
    • http://lykaios.net/uploads/1/3/0/6/130639811/9474373.pdf
    • http://thewrinkledsuit.com/uploads/1/3/0/5/130542822/vefigopu.pdf
    • http://host15.pleasingfood.com/uploads/1/3/0/2/130274169/130274169.html#drugs+used+in+treatment+of+peptic+ulcer+disease
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001155.bin
028210d53acf49bc56ce106a93857c87c7891af906990986ecc352b09e4f84fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1155 8544 bytes
font_01_sfnt_off0000913f.bin
6fd14b75b40592aa63214dc3858e40b996a0bcf5155abc0d72d014faea57e82d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x913F 16084 bytes
font_02_sfnt_off0000a5a4.bin
337ea87ab8104f512fe40f72ca87b6951d6765c18baf97d6b8bb8819351f29c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA5A4 2200 bytes
font_03_sfnt_off0000aefd.bin
da6e935b6a97a045a0c5629c3666d6f53d7c870963c8d55116ca0c7eba84cbf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAEFD 2732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.