Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f70f0c6161bc324…

MALICIOUS

PDF

38.8 KB Authoring application: LibreOffice
MD5: f5edcf685d829edf384b9f13e9db454e SHA-1: a3bfab07f7ff6e87dc7ea22616a6b95eb938302d SHA-256: 1f70f0c6161bc324718ba17ad1883af27399cc3ad3df599e896e82da9d55b264
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 and the ML classifier output strongly indicate malicious intent. The primary attack pattern involves directing users to a vast array of linked PDF files, likely for SEO spam or to distribute further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://myrocketflow.com/uploads/1/3/0/7/130776363/dasuba.pdf
    • http://allaccessbuildingservices.com/uploads/1/3/0/5/130590478/ed3ef7a06c824b.pdf
    • http://conder.org/uploads/1/3/0/6/130620168/mabukodimiwi.pdf
    • http://circoestodo.com/uploads/1/3/0/6/130621802/82f8c5f.pdf
    • http://ronawatts.com/uploads/1/3/0/5/130540026/aae2aaa3.pdf
    • http://www.themrmatt.com/uploads/1/3/0/8/130814174/71380d0ce.pdf
    • http://rajaampatdiveguide.com/uploads/1/3/0/3/130313241/gudikel.pdf
    • http://www.cpeessentials.com/uploads/1/3/0/5/130543667/2673735.pdf
    • http://bertaroebuck.com/uploads/1/3/0/7/130739297/katezolatolumudep.pdf
    • http://headlinehighway.com/uploads/1/3/0/5/130541271/1009124.pdf
    • http://shinelifestones.com/uploads/1/3/0/4/130488451/394695.pdf
    • http://myforeclosurelawyer.net/uploads/1/3/0/5/130543546/vuforabuxefifema.pdf
    • http://cockclock.com/uploads/1/3/0/4/130489240/5150512.pdf
    • http://myleavingcertholidays.ie/uploads/1/3/0/7/130775819/649478.pdf
    • http://www.collincodrugprevention.com/uploads/1/3/0/3/130313087/4806865.pdf
    • http://fredericksequestrianinternationalstabling.com/uploads/1/3/0/6/130621422/797a07c46ee.pdf
    • http://eclecticfleshtattoo.com/uploads/1/3/0/6/130621915/5d9e9.pdf
    • http://southernbridal.com/uploads/1/3/0/6/130640023/kowiw-kejorasis-labibuve.pdf
    • http://lcamidwestsummit.info/uploads/1/3/0/8/130873875/nijupo.pdf
    • http://pattycakecoach.com/uploads/1/3/0/5/130540159/04e4f5747b.pdf
    • http://chickflickguide.com/uploads/1/3/0/5/130589061/dosekaregenid.pdf
    • http://myheritagefence.com/uploads/1/3/0/5/130539735/miwijifegom.pdf
    • http://bloodblisterapparel.com/uploads/1/3/0/5/130588579/130588579.html#disney+songs+on+ukulele+chords
    • http://fredericksequestrianinternationalstabl

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003549.bin
c1d997a086948d34f9afb5516be6f1590aa7d05d7de4196071992afbbd58d3e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3549 8232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.