Malicious PDF — malware analysis report

Static analysis result for SHA-256 16e27aabb62ca8ca…

MALICIOUS

PDF

54.1 KB Authoring application: OpenOffice.org
MD5: e264f0598d8d2ca086fee85b8c4a21dd SHA-1: e6432538bab4ae03eb3c44dff5846472b75023d9 SHA-256: 16e27aabb62ca8cae0940dc4fb6c12bbd512840dd1900658d29abfa278f4da74
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The embedded URLs likely lead to further stages of infection or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kentuckyvslouisville.com/uploads/1/3/0/7/130775294/nobujopolokoz.pdf
    • http://futuretekinc.org/uploads/1/3/0/2/130270894/9127507b3382.pdf
    • http://www.blackgirlwhoblogs.com/uploads/1/3/0/6/130620987/9343556.pdf
    • http://huanqiuyulechengzaixiankaihu.br3h.com/uploads/1/3/0/8/130874156/seraxewumonu.pdf
    • http://www.carpenterandthelady.com/uploads/1/3/0/4/130476069/fusijafekixavaba.pdf
    • http://platinumpoolsandpatios.com/uploads/1/3/0/7/130776072/rawivekaxagetarades.pdf
    • http://purevoyage.net/uploads/1/3/0/5/130539165/vetusinakalube-xakuvonipolul-revubogisota-tavulejibu.pdf
    • http://albemarleop.com/uploads/1/3/0/5/130540282/fowepas.pdf
    • http://nicoleforcouncil.com/uploads/1/3/0/5/130589302/2857764.pdf
    • http://singletaryslogistics.com/uploads/1/3/0/7/130739539/zebejepeso.pdf
    • http://douxbebekollection.net/uploads/1/3/0/5/130590435/xezuwa-dulorolof-kusukaxoxor.pdf
    • http://mx.zbelladesigns.com/uploads/1/3/0/2/130271234/pemuzewubuxale.pdf
    • http://mccurdyfabricating.com/uploads/1/3/0/5/130590126/6624678.pdf
    • http://threebrothers.us/uploads/1/3/0/7/130740251/sesunusivavako-sigosevugofude-dijeboxamema.pdf
    • http://www.meirdamsport.eu/uploads/1/3/0/5/130550874/74ceaf789.pdf
    • http://bearvbaby.org/uploads/1/3/0/5/130543305/0b8873b57d8703.pdf
    • http://ip27.reimak.com/uploads/1/3/0/5/130539897/tojozotegusabut.pdf
    • http://ruedasdeinnovacion.com/uploads/1/3/0/2/130292098/nelozam.pdf
    • http://ketys.net/uploads/1/3/0/7/130738919/wiwet-susag.pdf
    • http://holypost.info/uploads/1/3/0/6/130604666/4775443.pdf
    • http://adsl-63-204-18-36.benefitplans.org/uploads/1/3/0/6/130620951/130620951.html#agrimoon+com+ornamental+horticulture

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001154.bin
0331262dfe47150e05291ac33cbd000c0c9528a6361f14d09bdd5bcab3f00e08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1154 8580 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.