Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ecf30c95ac348fe…

MALICIOUS

PDF

39.1 KB Authoring application: LibreOffice Draw
MD5: bc174a83fdb51bbb5dc5f7ae5832edd8 SHA-1: 51c1f1e5c9bc409b0b340c56dc2b8899194daf76 SHA-256: 5ecf30c95ac348fe31dd55ebdde6913520b05476c9f0ad81b7546b0935836154
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded URLs, identified as a link farm, which is a common technique for SEO manipulation or distributing malicious content. ClamAV detected this as Pdf.Phishing.TtraffRobotInstall, indicating a phishing or traffic redirection intent. The embedded URLs likely serve as a mechanism to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.premedwizard.com/uploads/1/3/0/2/130288453/mizifaja.pdf
    • http://mhchatman-copywriting.com/uploads/1/3/0/6/130605018/3e57a108a.pdf
    • http://vanmarkitonmusic.com/uploads/1/3/0/7/130775539/tiwumo.pdf
    • http://sekolahberpikirindonesia.com/uploads/1/3/0/7/130739727/aec6f1ae70eb2.pdf
    • http://www.lewisantiquesmemorabilia.com/uploads/1/3/0/9/130969937/4a61d.pdf
    • http://peoplefollowingjesusworldwide.org/uploads/1/3/0/2/130289702/rodiposadi-fimezeka-saguv.pdf
    • http://amishalom.com/uploads/1/3/0/7/130739002/9387621.pdf
    • http://claringtondominionlending.com/uploads/1/3/0/5/130542872/lopebisutefaxavab.pdf
    • http://brokerfraud.org/uploads/1/3/0/5/130540077/zijoxem.pdf
    • http://www.theafterspill.com/uploads/1/3/0/2/130289630/5d8733.pdf
    • http://designslgt.com/uploads/1/3/0/2/130289277/be76bcf.pdf
    • http://theophilusministry.org/uploads/1/3/0/5/130551072/seduluwi.pdf
    • http://0fyq5.bpmtc.com/uploads/1/3/0/5/130546040/130546040.html#biology+igcse+past+papers+year+10
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002bb8.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BB8 1708 bytes
font_01_sfnt_off000033b0.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33B0 2864 bytes
font_02_sfnt_off0000402d.bin
e0cb4f4bd888d2ae1dc71d40410d57634f01b5d22bf8acdd572627c415f7c980		 pdf-font-stream PDF embedded font (sfnt) at offset 0x402D 7896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.