PDF malware analysis — malicious · 413741136a1ff386

MALICIOUS

PDF

139.9 KB Authoring application: OpenOffice.org

MD5: f6135cedb3e3391c8e1bffb68cf24838 SHA-1: a9ef23d15993836ced1a51517cfcdddf8e516690 SHA-256: 413741136a1ff386a86e02d48787b2d6d30677819cfb17d5ffdbfb70c38b97a2

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files, indicating a link farm strategy. This is strongly suggestive of SEO spam or a phishing campaign designed to drive traffic to malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9987

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://moms-space.net/uploads/1/3/0/2/130291539/jiveralerigof-jusalonidetije-divar-mubapixokuz.pdf
- http://northeastgridironpromotions.com/uploads/1/3/0/4/130477245/2948637.pdf
- http://humanisingtheenterprise.com/uploads/1/3/0/6/130620813/naregavaxijo_denemekifub_tutivit.pdf
- http://barfingcow.com/uploads/1/3/0/7/130740206/rotegojogavub.pdf
- http://netoaterro.com/uploads/1/3/0/3/130313582/pidigemevukibi.pdf
- http://nomadcc.com/uploads/1/3/0/7/130775701/2688645.pdf
- http://barcorealtyofaquia.com/uploads/1/3/0/6/130621709/c1f2551.pdf
- http://novaimmobilien.eu/uploads/1/3/0/6/130639498/819726a.pdf
- http://findingmybeautiful.com/uploads/1/3/0/4/130435842/zobetevedigepej-vevifoduso-vewujuzusalos-pawevoneti.pdf
- http://bitcoinexchange.net/uploads/1/3/0/4/130488322/xowiwuvogagovekofu.pdf
- http://dollarforacause.org/uploads/1/3/0/6/130620280/genubabilusa.pdf
- http://moneypain.com/uploads/1/3/0/2/130289315/4551747.pdf
- http://dominicbercier.com/uploads/1/3/0/4/130483256/sajupoxejok.pdf
- http://torontogreekdj.com/uploads/1/3/0/3/130323187/6a1cfd8243a7.pdf
- http://porterforcanton.com/uploads/1/3/0/4/130435619/3563000.pdf
- http://yourpackaging.design/uploads/1/3/0/6/130639269/56b99ff5.pdf
- http://zenwich.co/uploads/1/3/0/6/130620230/xorililopojorodipade.pdf
- http://myexpatsipp.com/uploads/1/3/0/2/130273801/4874356.pdf
- http://www.juliayouells-edtech.com/uploads/1/3/0/3/130323959/3494fc7b956.pdf
- http://www.visionheli.com/uploads/1/3/0/8/130813740/budebuzeda_turibovori_fiketejopima_tujobilovekufil.pdf
- http://secretweaponstudio.com/uploads/1/3/0/6/130639800/413baf4d3df96.pdf
- http://daleystyle.com/uploads/1/3/0/2/130272318/xonawuru-gizid-zetukewifumiv.pdf
- http://beatwood.eu/uploads/1/3/0/4/130477613/dofawegoxix-wowetabipavibup.pdf
- http://changedthrutheword.gammaxiques.org/uploads/1/3/0/5/130543134/130543134.html#basketball+rules+australia+2017
- http://www.visionheli.com/uploads/1/3/0/8/130813740/budebuzeda_turibovori_fiketejopima_tujobilovekufi

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000194a.bin` `4f2dec91d1b52b2639d306f7c5206f25bb2ac19f1fa82e4313b4145163559f8c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x194A	10436 bytes
`font_01_sfnt_off0001ef2e.bin` `63f5e27ee3d24cc00d413e59c301cc73ab377383609796993547673f2bea898c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1EF2E	2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.