Malicious PDF — malware analysis report

Static analysis result for SHA-256 63f87faa00fa2ab3…

MALICIOUS

PDF

40.6 KB Authoring application: OpenOffice Draw
MD5: ef9398b70eb4e8c1d16e354a2b479ebc SHA-1: 54f344435b9878bc78195c94fe0fab42b54f172a SHA-256: 63f87faa00fa2ab31605cecd8b776333a3811ab61917466d4ef7cd9e0770e14e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, as detected by the PDF_SEO_LINK_FARM heuristic. The document body, though heavily obfuscated, also contains URLs that mirror those found in the link farm. This suggests the primary purpose is to redirect users to a large collection of other PDF files, potentially for SEO spam or to distribute further malicious content. No scripts were extracted, but the presence of numerous external links points to a phishing or content distribution attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mtdromedaryuc.org/uploads/1/3/0/2/130270833/xebofuwewam_tufezegep.pdf
    • http://xoveto.gg-jewelry.ru/uploads/2020/01/27/totutuvipozagiru.pdf
    • http://abetamassage.com/uploads/1/3/0/3/130379110/vopefadepotefup_pogumulagotuj_fasizevepaso_feropi.pdf
    • http://wishingpermission.com/uploads/1/3/0/3/130379548/dafivez.pdf
    • http://naominnewmexico.com/uploads/1/3/0/5/130539897/9468114.pdf
    • http://ryazremont.ru/uploads/2020/01/28/1f7caa945c45d9.pdf
    • http://zumaz.avonbox.ru/uploads/2020/01/28/734e7ad1b5.pdf
    • http://basketball-skills-training.com/uploads/1/3/0/2/130272848/94a92f017f3449.pdf
    • http://florissimo29.ru/uploads/2020/01/27/c8c477f.pdf
    • http://nationalriskmanagementgroup.com/uploads/1/3/0/3/130323237/xodirumobix-talukudufo.pdf
    • http://arcpfg.com.au/uploads/1/3/0/6/130639924/lomozikosoz.pdf
    • http://fip.game-server-and-client-configuration-in-sync.ru/uploads/2020/01/28/wogaferunud.pdf
    • http://newbioconsulting.com/uploads/1/3/0/6/130605355/7442919.pdf
    • http://cantonfair2u.com/uploads/1/3/0/6/130622012/3634473.pdf
    • http://dam-rh.com/uploads/1/3/0/3/130323374/2477214.pdf
    • http://juzu.vipiski-online8.icu/uploads/2020/01/28/xelarulaw.pdf
    • http://partiesbyflo.com/uploads/1/3/0/5/130551239/paxajerekofiwaja.pdf
    • http://faguxisom.pweuxk.xyz/uploads/2020/01/28/b51131cfaea5e1.pdf
    • http://justice4paulawagner.com/uploads/1/3/0/6/130621366/girumowavuji-xobevuwu.pdf
    • http://lew.lioeleshop.ru/uploads/2020/01/27/3da27310e.pdf
    • http://baguvuxudi.lakan.ru/uploads/2020/01/27/jalogukem.pdf
    • http://beingself-centered.com/uploads/1/3/0/5/130551049/130551049.html#mla+format+bibliography+website+generator

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000162f.bin
151cb40c4ee4fc6d56f829a8ad257a2821301538e108d26825f084e6dbda3a14		 pdf-font-stream PDF embedded font (sfnt) at offset 0x162F 7812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.