Malicious PDF — malware analysis report

Static analysis result for SHA-256 122a1ad82865440e…

MALICIOUS

PDF

40.9 KB Authoring application: OpenOffice.org
MD5: 24cb3b54715123d43a8deb9e07651d4b SHA-1: 43ad54e20a6c9d950cdd6ea526c443d164b17212 SHA-256: 122a1ad82865440e2fc66403fb7b4333d6d8b53bfec7f1e46262f178562c3142
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files, a technique often used to distribute malware or redirect users to phishing sites. The ClamAV detection and ML classifier further support its malicious nature. Although no scripts were explicitly extracted, the PDF structure and embedded links suggest an attempt to lure users to malicious content, likely as part of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bbfcafe.shop/uploads/1/3/0/6/130604848/fagexatorid-gigojepuga-timatinufo.pdf
    • http://andrusha.xyz/uploads/2020/01/28/040b05efe13.pdf
    • http://z-kiski.fun/uploads/2020/01/28/bawevose.pdf
    • http://mynativegardenoasis.net/uploads/1/3/0/6/130621620/vofedudebixuve.pdf
    • http://folelepafo.posital-encoder.ru/uploads/2020/01/27/dezusowonasinamowax.pdf
    • http://brandmediax.com/uploads/1/3/0/4/130494743/mariwopopegobe.pdf
    • http://vunefap.nalegke.pro/uploads/2020/01/29/gasebaxovo.pdf
    • http://shtory.pro/uploads/2020/01/29/e79f4f01.pdf
    • http://mindbodyconnectionmassagepilates.com/uploads/1/3/0/5/130590279/0bd054d92.pdf
    • http://centralcarolinagsdclub.com/uploads/1/3/0/4/130435556/xosudenojidedejuweg.pdf
    • http://opt-sales.ru/uploads/2020/01/28/luvebixol.pdf
    • http://sunriseonlinecourses.com/uploads/1/3/0/5/130542831/47675307db8148.pdf
    • http://livingthepondlife.org/uploads/1/3/0/5/130588876/fogikodefaras.pdf
    • http://progressplacetest2.weebly.com/uploads/1/3/0/4/130488158/fituw.pdf
    • http://diku.cityglush7.icu/uploads/2020/01/28/678862.pdf
    • http://vollair.com/uploads/1/3/0/5/130589264/f1e32950eb7d1f.pdf
    • http://coltsound.com/uploads/1/3/0/6/130640057/4042282.pdf
    • http://miracleinabucket.com/uploads/1/3/0/5/130543941/130543941.html#billie+eilish+bellyache+piano+sheet+music

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014d5.bin
1bbf2efefa2f2a6ac1d4a2ddff21233feede0e5b24ef686b95f9158ecd3f7c57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D5 9136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.