Malicious PDF — malware analysis report

Static analysis result for SHA-256 5124064148d1b4c4…

MALICIOUS

PDF

30.1 KB Authoring application: LibreOffice
MD5: f2f3708c323bd40436e8cdeb6a0cecf9 SHA-1: 021338a831e4d4fb2a2c5e0d1da77496c3bc5e6c SHA-256: 5124064148d1b4c42741a49913fefe7b35bcd8e54bccc265ad16001c40a528b3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded links to external PDF files hosted on various domains, indicating a link farm designed to distribute malicious content. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://merhqradio.net/uploads/1/3/0/7/130775953/judenelofiza_fepomebedu_jenajobo.pdf
    • http://arsfabricandi.com/uploads/1/3/0/4/130483519/4761665.pdf
    • http://alpurpletaxi.com/uploads/1/3/0/7/130775692/vafofawidobamag.pdf
    • http://northwesterntaekwondo.com/uploads/1/3/0/6/130604447/7398540.pdf
    • http://nexoclean.com/uploads/1/3/0/3/130323597/woweromi.pdf
    • http://zuwiwudik.audiostart07.icu/uploads/2020/01/28/8a0ad2fc.pdf
    • http://millenniummath.com/uploads/1/3/0/6/130604637/1053166.pdf
    • http://deeprootsmountainrevival.com/uploads/1/3/0/2/130289694/04f1b.pdf
    • http://riccijustisart.com/uploads/1/3/0/2/130288522/1c50d2578887.pdf
    • http://melodyxlove.org/uploads/1/3/0/6/130605159/45cadd.pdf
    • http://policetrailer.com/uploads/1/3/0/5/130589151/130589151.html#chapter+10+marketing+answer+key

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001204.bin
2dea662d88233fc59214cd24dfcc97e3272b54a63ac9186df37cae39d47d2a2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1204 7632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.