Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d04e7df134852f8…

MALICIOUS

PDF

43.0 KB Authoring application: OpenOffice.org
MD5: 3a12840df7104762d3ae29a4142c651b SHA-1: 11a0d8d381d21171bc81e503caa45bdd9cd7fe3e SHA-256: 3d04e7df134852f85f862b75fe7eb103eaa23800703432dcc9dc49dd9ac9e992
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file exhibits a critical heuristic firing for a PDF link farm, containing numerous external links to other PDF documents. The primary purpose appears to be directing users to a large number of potentially malicious or phishing-related PDFs hosted across various domains. The ML classifier and ClamAV detection strongly support its malicious nature. No scripts were extracted, and the document body was unreadable.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thebubblesworld.com/uploads/1/3/0/5/130546244/lisusoridetojaxisa.pdf
    • http://mscenterofsoutherncalifornia.net/uploads/1/3/0/6/130605135/pidexuzazaburareda.pdf
    • http://clucktruckportland.com/uploads/1/3/0/4/130488244/151027.pdf
    • http://thesingbabysingshow.com/uploads/1/3/0/5/130539820/3156059.pdf
    • http://aprilfricke.com/uploads/1/3/0/7/130738753/edc92f25.pdf
    • http://pushingthetippingpoint.com/uploads/1/3/0/4/130435820/gipujomi.pdf
    • http://redpenapp.net/uploads/1/3/0/2/130289367/2903915.pdf
    • http://mynastybath.com/uploads/1/3/0/7/130775130/widufevudakol_togusibod_ronad.pdf
    • http://nationalriskmanagementgroup.com/uploads/1/3/0/4/130476342/lerurexetaw.pdf
    • http://www.webringthegymtoyou.com/uploads/1/3/0/8/130873810/3183863.pdf
    • http://shsucommunityconnections.com/uploads/1/3/0/6/130603763/5799726.pdf
    • http://williamdilley.com/uploads/1/3/0/2/130270869/5868580.pdf
    • http://tjtlzy.com/uploads/1/3/0/4/130483364/butotemiduj-vaxegiwexuneni-datuxa-vivawir.pdf
    • http://andreachurchillbooks.com/uploads/1/3/0/4/130488294/2433638.pdf
    • http://nuezdejabon.com/uploads/1/3/0/4/130435881/jarixejazen.pdf
    • http://qijidaoyin.net/uploads/1/3/0/2/130289692/8e835e23d0.pdf
    • http://aquasquirrel.com/uploads/1/3/0/6/130621581/130621581.html#convert+ocr+pdf+to+word

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c50.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C50 16036 bytes
font_01_sfnt_off00004476.bin
4cdbfa123a5ac57b39c330af2df89a754ba8cf2037d5f9956aaa8dc964253d8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4476 11360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.