Malicious PDF — malware analysis report

Static analysis result for SHA-256 3dec242ab1c082a8…

MALICIOUS

PDF

27.4 KB Authoring application: OpenOffice.org
MD5: 0c493d9185d78ec1dd630b4cdcff6a9a SHA-1: 139676b9836ecbde58bff75da22e396a865af0c1 SHA-256: 3dec242ab1c082a822d9dff9307b6ed0ca83d141ec6debc9ffe356e3d888c2f8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to other PDF files, a technique commonly used for SEO poisoning and phishing lures. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs are likely part of a link farm designed to redirect users to malicious content or further phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://caneycreekstudio.net/uploads/1/3/0/7/130775031/bawux.pdf
    • http://skywarnforum.com/uploads/1/3/0/2/130272501/jetibibavun.pdf
    • http://advancinghc.com/uploads/1/3/0/6/130603725/kuvas_siparemulezabov_noxel.pdf
    • http://sfmagiccircus.com/uploads/1/3/0/7/130738723/jarozobu.pdf
    • http://101taiwantour.com/uploads/1/3/0/6/130639365/7623267.pdf
    • http://hohohohustle.com/uploads/1/3/0/6/130604150/xepetuzi_katok_fezidisumevuli_matedej.pdf
    • http://gippslandflights.com/uploads/1/3/0/7/130775242/sewomekemesefo-riboranivuxoxa.pdf
    • http://stakemywallets.com/uploads/1/3/0/6/130639557/a76699199d7305.pdf
    • http://blog.chrisbikes.co.uk/uploads/1/3/0/7/130775796/xibesikupijuko.pdf
    • http://mx.blueknightsbcv.com/uploads/1/3/0/2/130289315/8554482.pdf
    • http://antocorp.com/uploads/1/3/0/7/130776408/futikuvatomulekobuba.pdf
    • http://formerfattyfitness.com/uploads/1/3/0/4/130489229/nizaderop.pdf
    • http://forgetitsolutions.com/uploads/1/3/0/2/130272985/8588960.pdf
    • http://quartzplanning.com/uploads/1/3/0/6/130621100/d202ea792d363.pdf
    • http://www.redondo.nl/uploads/1/3/0/6/130604772/somawunuwu.pdf
    • http://willowwolffurnishings.com/uploads/1/3/0/6/130620981/7bde07bf28.pdf
    • http://hjeminteriors.com/uploads/1/3/0/7/130738543/gosab_xomonebogato_jumatero.pdf
    • http://plotsforvillas.com/uploads/1/3/0/6/130621487/8395841.pdf
    • http://www.debphillips.org/uploads/1/3/0/5/130590243/lesotizonusuxuvabe.pdf
    • http://ttcasfriendsandfamily.org/uploads/1/3/0/5/130544232/3d01072af.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001eb9.bin
394201c58f492baba12304389f384cfd6d87999f8e8c088c38256d3432463578		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1EB9 7188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.