Malicious PDF — malware analysis report

Static analysis result for SHA-256 17bff501ccb30744…

MALICIOUS

PDF

72.0 KB Authoring application: OpenOffice Draw
MD5: 5a22966cf1bed38b134d35bb6b340214 SHA-1: 463ee4e0ad5a4b4226599e820ad6d695e5e299fe SHA-256: 17bff501ccb307445ccf068330e3553063cacfbf10cf78dde39dc5368d55667b
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or phishing campaign. The ML_NYX_PDF_MALICIOUS and ClamAV detections further support its malicious nature. While no scripts were directly extracted, the embedded URLs are the primary indicators of malicious intent, likely leading to further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://argamaprints.com/uploads/1/3/0/5/130588605/9399002.pdf
    • https://rijuxonad.weebly.com/uploads/1/3/0/2/130289379/sesew-nozuni-taweno-lizojelepe.pdf
    • http://bamaagents.com/uploads/1/3/0/3/130313632/dixepet.pdf
    • http://saferworldclothing.com/uploads/1/3/0/6/130621026/6082074.pdf
    • http://myrottweiler.org/uploads/1/3/0/5/130541677/f222ce695f770.pdf
    • http://peputpenkkiin.fi/uploads/1/3/0/3/130323522/bozawesed-kipodosawiz.pdf
    • http://catherinebellermckenna.weebly.com/uploads/1/3/0/2/130289409/a12a936.pdf
    • http://nicole-florio.com/uploads/1/3/0/6/130639583/4727202.pdf
    • http://aerofamilyhealth.com/uploads/1/3/0/6/130604666/zulipesasodop.pdf
    • https://xitulafane.weebly.com/uploads/1/3/0/4/130476786/23b691.pdf
    • http://thelearnnplayhouse.com/uploads/1/3/0/5/130543154/depozagibajesexa.pdf
    • http://woodlandstuition.com/uploads/1/3/0/2/130289241/130289241.html#wren+and+martin+english+grammar+book
    • http://fedorahosted.org/lohit
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001498.bin
d3d8bdab86fbccbd911df17dde309804362dbdcfcf56a1017489b082181579c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1498 8508 bytes
font_01_sfnt_off00009e9a.bin
32b54217619f9438721b423dc2f4f4da0f78781b0811ea49af2be6b0310ecf56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E9A 16164 bytes
font_02_sfnt_off0000b35f.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB35F 1388 bytes
font_03_sfnt_off0000bdb3.bin
3ce6968ba5d8ec7b42d046f44dbf2978520877221d85475bf4ce464d16a05f44		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBDB3 17144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.