Malicious PDF — malware analysis report

Static analysis result for SHA-256 622b870b8c090363…

MALICIOUS

PDF

38.2 KB Authoring application: OpenOffice Draw
MD5: 3eae7417664e8bfdceff6790baf3c262 SHA-1: 032429a27aecea4759268a13d054d93b8db004b1 SHA-256: 622b870b8c090363d8c2dfc414f396ef7fe7329b45081964a63cc918f5030a2f
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a mass of external links, many of which are structured as numeric slugs, suggesting a link farm for SEO poisoning. The presence of a fake CAPTCHA heuristic indicates a social engineering attempt to trick the user into interacting with the document. The ClamAV detection and ML classifier strongly suggest malicious intent, likely to redirect users to malicious content or download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake CAPTCHA / human verification prompt high SE_FAKE_CAPTCHA
    Document displays a fake CAPTCHA or human-verification prompt — used to trick users into running commands or pressing keyboard shortcuts
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stellartrading.co/uploads/1/3/0/2/130287279/9801732.pdf
    • http://slbcakes.com/uploads/1/3/0/6/130621979/6178716.pdf
    • http://amd11z.com/uploads/1/3/0/4/130476778/9673631d3cd.pdf
    • http://shootingcourse.space/uploads/1/3/0/7/130776714/6785361.pdf
    • http://taterbucks.com/uploads/1/3/0/5/130540699/113d6.pdf
    • http://notforprophet.net/uploads/1/3/0/6/130620792/datij.pdf
    • http://night-at-the-museum-rotary.org/uploads/1/3/0/4/130488975/fugisidojajuzi_givavago_lafebewobazabi.pdf
    • http://togobogo.com/uploads/1/3/0/7/130740082/rawinipupafer-xowalaw-dikofuluripudof.pdf
    • http://art2artexhibitions.com/uploads/1/3/0/7/130776571/botarer.pdf
    • http://myskinfit.com/uploads/1/3/0/3/130312914/xutov-suzavokufuf.pdf
    • http://dubewholesale.com/uploads/1/3/0/8/130813668/zubolivalawozoruf.pdf
    • http://agslist.com/uploads/1/3/0/8/130813827/duduvemikep.pdf
    • http://index92.pleasingfood.com/uploads/1/3/0/7/130776801/130776801.html#rpf+ancillary+answer+key+2019+group+b

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003baf.bin
8be20a522c12b0bae7a35b5ccbc2efacfb29015a3fbc96d51cd9c4d4237f0b5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BAF 8616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.