Malicious PDF — malware analysis report

Static analysis result for SHA-256 62e8fcd62359d6e7…

MALICIOUS

PDF

38.8 KB Authoring application: LibreOffice
MD5: 2fbabed5f72575bd832491416388c6fc SHA-1: 2a48c8816f40f83964d770e76c3f81e37df96f89 SHA-256: 62e8fcd62359d6e73eddf6ef57b127b7f02dc1ea689fd62817cdc6d98032898b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to other PDF files hosted on various domains. This suggests a link farm or redirection strategy to distribute malicious content. The ML_NYX_PDF_MALICIOUS and CLAMAV_DETECTION heuristics further confirm the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://greenyourstyle.com/uploads/1/3/0/5/130543262/cd367e1.pdf
    • http://rightofwaysolutionsllc.com/uploads/1/3/0/8/130814085/dazaledobosufobazina.pdf
    • http://legaleurope.com/uploads/1/3/0/6/130620436/23b095318aa.pdf
    • http://homeopathic-health-care.com/uploads/1/3/0/5/130588266/warosutufuzutoj.pdf
    • http://dog-gonefancy.com/uploads/1/3/0/7/130775080/xujakukemedowitezowo.pdf
    • http://gollygoshgifts.com/uploads/1/3/0/5/130550921/9187103.pdf
    • http://zama-online.com/uploads/1/3/0/4/130488700/c33cbb.pdf
    • http://charliechortle.com/uploads/1/3/0/5/130551718/kipopikijejujuzax.pdf
    • http://mynetworkclub.com/uploads/1/3/0/5/130541744/pofegopomij-xenotomibojos-kuzupuba.pdf
    • http://faithful32x32.com/uploads/1/3/0/6/130621464/5811503.pdf
    • http://nuevavistamenorca.com/uploads/1/3/0/5/130551668/5684780.pdf
    • http://www.kathysdelisalads.com/uploads/1/3/0/5/130589198/320910f7d.pdf
    • http://mta-sts.mail.twobetrue.com/uploads/1/3/0/4/130483684/fbb8340621b48a.pdf
    • http://www.stgilespres.com/uploads/1/3/0/6/130605115/5838376.pdf
    • http://apexgraniteocala.com/uploads/1/3/0/3/130313398/7120976.pdf
    • http://bdofilm.com/uploads/1/3/0/6/130620544/ferolapodevulud.pdf
    • http://therealtyfinder.com/uploads/1/3/0/5/130539492/wivutomoguwotu-wuvet-totonukaxarasez.pdf
    • http://ctruin.com/uploads/1/3/0/5/130539188/876e47c300650b5.pdf
    • http://kingshotelsmunichfirstclass2.devsite-1.com/uploads/1/3/1/0/131070911/131070911.html#ordinal+numbers+1-31+exercises+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003a57.bin
8173b3a9e72a06a935c9c6d0e32ea0b5a15067e2f4dde5dee7ec53eac4f1b51e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A57 7792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.