Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f7d586f931b575e…

MALICIOUS

PDF

85.3 KB Authoring application: Adobe PDF Library 9.0
MD5: 194ebeec91ddc27621d38baeab9608dc SHA-1: c57f138ac14e7115e1247b4223b2924dc0805013 SHA-256: 0f7d586f931b575e4d9e3dd035da950eaa7bf7bd3347c0c01dba6d2e81ca5715
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified as a link farm. This suggests a tactic to manipulate search engine results or to distribute further malicious content. While no scripts were explicitly extracted, the heuristic 'ML_NYX_PDF_MALICIOUS' and ClamAV detection indicate malicious intent, likely related to phishing or malware distribution via these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9963

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://freefromlimitation.com/uploads/1/3/0/4/130488067/7845744.pdf
    • http://umphenourstudio.com/uploads/1/3/0/7/130776110/b1ad6e32.pdf
    • http://www.jasonmarshallconsulting.com/uploads/1/3/0/7/130775587/6901833.pdf
    • http://oxolaxofix.com/uploads/1/3/0/6/130621734/c533d90e1d8.pdf
    • http://2ourhealth.net/uploads/1/3/0/2/130288589/vobemujadapiler_paxesud_jumuguxiguvafi.pdf
    • http://iamcascade.com/uploads/1/3/0/8/130814874/6190269.pdf
    • http://mewch.io/uploads/1/3/0/7/130775269/6805396.pdf
    • http://restage.tv/uploads/1/3/0/5/130588583/soxix.pdf
    • http://rinapedia.blog/uploads/1/3/0/6/130603773/6062906.pdf
    • http://importeddesignz.com/uploads/1/3/0/7/130775979/1518345.pdf
    • http://interstructceilings.com/uploads/1/3/0/6/130620573/649d4eb10.pdf
    • http://daycare-playgroundequipment.com/uploads/1/3/0/3/130323555/japove.pdf
    • http://dentlerdrywallandsupply.com/uploads/1/3/0/6/130639076/b01338e1cd1959c.pdf
    • http://intro2women.com/uploads/1/3/0/2/130289198/xiwojuzulawajosirel.pdf
    • http://snowyrivercollections.com/uploads/1/3/0/7/130775106/tisajutane.pdf
    • http://tateglass.com/uploads/1/3/0/6/130604497/fabosezurelagodijubo.pdf
    • http://streetwerkzcustoms.com/uploads/1/3/0/7/130776763/b5352.pdf
    • http://nugriot.com/uploads/1/3/0/4/130483200/51408.pdf
    • http://workerscompresource.com/uploads/1/3/0/7/130775337/36dd9bf680.pdf
    • http://align2015.com/uploads/1/3/0/7/130739443/4722416.pdf
    • http://cpanel.newmorningacres.com/uploads/1/3/0/6/130604473/kadezutapifiril.pdf
    • http://formal-analysis-registration.com/uploads/1/3/0/6/130604411/bitibanif-sofitepe-gexejevu-gatuvujukumabos.pdf
    • http://hct-homes.com/uploads/1/3/0/8/130813497/8737608.pdf
    • http://botoxformenatlanta.com/uploads/1/3/0/5/130590588/88db1.pdf
    • http://hotpotatosolutions.com/uploads/1/3/0/4/130483830/xapurilowokozo.pdf
    • http://74-123-77-82.mgwnet.com/uploads/1/3/0/3/130312919/130312919.html#kalabhairava+ashtakam+in+telugu+mp3
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b1b7.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB1B7 16204 bytes
font_01_sfnt_off0000c77a.bin
b57abfcb457ec495261ecbecaa1c1e26cd519f0918bed43c55f0a8cd7505d8b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC77A 8700 bytes
font_02_sfnt_off0000de0b.bin
6bb4616891b14494a0d7454118927f90edf2f5d3d7520645e060bceedca75288		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDE0B 2716 bytes
font_03_sfnt_off0000ea7f.bin
5cc16f2933284300b0d266be91a6d86a735f1ca543a0d51d84cd4b65bcace798		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEA7F 8544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.