Malicious PDF — malware analysis report

Static analysis result for SHA-256 57413ffbbe29d1bd…

MALICIOUS

PDF

43.7 KB Authoring application: OpenOffice.org
MD5: f34fa8fdad57c1e3ce7abe28ae88d327 SHA-1: f5c0aab7ea441036b1c3eccff33175a7e5befb7d SHA-256: 57413ffbbe29d1bda23b5ee636649a72d59ad80dde0978a798728ade5abbee26
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified as a PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also indicate maliciousness, specifically related to phishing and traffic redirection. The embedded URLs likely serve to distribute further malicious content or manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kissbotr.com/uploads/1/3/0/4/130476122/3293881.pdf
    • http://joeljimenezfashion.shop/uploads/1/3/0/4/130490584/0fcf14332bff67.pdf
    • http://artintimidatinglife.com/uploads/1/3/0/2/130289763/790031.pdf
    • http://moveupwithus.net/uploads/1/3/0/6/130621900/8917867.pdf
    • http://oakdalepoolservice.com/uploads/1/3/0/6/130605368/5422120.pdf
    • http://thestorefrontgallery.com/uploads/1/3/0/5/130589048/89a99a2e5343.pdf
    • http://molliemonahan.com/uploads/1/3/0/7/130739706/5727906.pdf
    • http://nora-pauli.net/uploads/1/3/0/5/130550681/fegigavafom-fejaxarasu-lewumena-zoxubosibu.pdf
    • http://myeduzone.org/uploads/1/3/0/2/130288448/soxoz.pdf
    • http://rehphotography.org/uploads/1/3/0/3/130323210/130323210.html#good+platform+games+steam

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011ef.bin
d9c707033741548140d5c91769b299c28d06cbafecb27d75b95aac396d5a6b05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EF 8264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.