Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b1c490924bd9a67…

MALICIOUS

PDF

38.5 KB Authoring application: OpenOffice.org
MD5: 4d85781b0392344df93b239eacbcd542 SHA-1: f134b818c7f062f3dab3ca0e47f8bc555cfbcde9 SHA-256: 5b1c490924bd9a67f254cd46c129c4cf0a06a0a6b15e6b6fb635b0b13f8606a5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. While no scripts were directly extracted, the PDF structure itself facilitates the distribution of external links, likely to host further malicious payloads or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tuslawcounts.com/uploads/1/3/0/2/130270834/lobewi.pdf
    • https://laluxuro.weebly.com/uploads/1/3/0/4/130483480/jevefav-jabomuze-vezonujuxuxudew.pdf
    • http://jamomun.helo-zoom.com/uploads/2020/01/27/9050745.pdf
    • http://zisobu.galaxytools.ru/uploads/2020/01/27/e1c962.pdf
    • http://jocurtis.net/uploads/1/3/0/4/130476458/9602623.pdf
    • http://asia-technology-college.com/uploads/1/3/0/6/130620917/9394261.pdf
    • http://suzikezoxi.dawhdsads.icu/uploads/2020/01/28/luditusigusoxe.pdf
    • http://anger-management-coach.com/uploads/1/3/0/5/130590123/e359834c.pdf
    • http://teaspoonstotablespoons.org/uploads/1/3/0/6/130604220/xusegogojomovedu.pdf
    • http://ginekologjakiel.pl/uploads/1/3/0/6/130639347/8678308.pdf
    • https://dokinewizoz.weebly.com/uploads/1/3/0/4/130490006/ce3a3f70.pdf
    • http://duvetefexo.verairazum.ru/uploads/2020/01/28/5582507.pdf
    • http://brunson-insurance.com/uploads/1/3/0/4/130479312/xufole.pdf
    • http://tebod.paulcotyantiques.com/uploads/2020/01/28/zumagabowejakubolifa.pdf
    • http://policetrailer.com/uploads/1/3/0/3/130323968/130323968.html#asphalt+6+apk+indir+android+oyun+club

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015c7.bin
b0401fed3725feece4ed854f5b1dbd8e65ccb774c413b7231fecca9ffdf176e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15C7 9656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.