Malicious PDF — malware analysis report

Static analysis result for SHA-256 659f249bc9d89042…

MALICIOUS

PDF

32.7 KB Authoring application: LibreOffice Draw
MD5: d5bbf641dff0480a1e227624014de957 SHA-1: cd15a8c174f8729fe43cee187d7498e3b0371122 SHA-256: 659f249bc9d890421e5ed99aa1743460f39343c204940946222c5f63d2e9fc0b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV detected this file as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and a machine learning classifier also flagged it with high confidence. The embedded URLs are the primary IOCs, suggesting a phishing or content distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://clontarfbuildinghistory.com/uploads/1/3/0/5/130589085/xivolakuf_gureduwilo_zanekage_lijuko.pdf
    • http://empireofthedead.org/uploads/1/3/0/7/130775892/95bdf15a80e.pdf
    • http://webmail.lfvalue.com/uploads/1/3/0/8/130813639/2d0abe5.pdf
    • http://north42sales.ca/uploads/1/3/0/3/130379596/bilewabuxa.pdf
    • http://nlccpsw.org/uploads/1/3/0/6/130605074/lopirupe.pdf
    • http://www.eaterylab.com/uploads/1/3/0/5/130543346/db79f82edc6ed.pdf
    • http://stevenmelgroup.com/uploads/1/3/0/3/130379094/muwibekidetoj_bixiv.pdf
    • http://myjandj.com/uploads/1/3/0/7/130775776/35c65b700213.pdf
    • http://morethanapipeline.org/uploads/1/3/0/5/130550823/404049.pdf
    • http://www.club10.com.au/uploads/1/3/0/5/130539913/2241017.pdf
    • http://peacesupportfund.org/uploads/1/3/0/3/130379353/vebimolifurepowi.pdf
    • http://gemmillion.com/uploads/1/3/0/7/130776617/4bcb28ade.pdf
    • http://jorgelemus.com/uploads/1/3/1/0/131069874/131069874.html#it6702+data+warehousing+and+data+mining+lesson+plan

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000281a.bin
d4afe4d7356a76243008869cf085af5220ef1dc112373708a6fc6791bdfab62d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x281A 7792 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.