Malicious PDF — malware analysis report

Static analysis result for SHA-256 699d3ca24d21890c…

MALICIOUS

PDF

39.5 KB Authoring application: LibreOffice
MD5: 50b818db7b06bfb77b0e7cdd00cf652c SHA-1: a6d69d2b50d9f9229406ed31844b6a55a92f1b8a SHA-256: 699d3ca24d21890c6ace427ad7684ab26093a5d4a26566fe6794d437af3657e7
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to manipulate search engine results or to distribute additional malicious content. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jinyu.us/uploads/1/3/0/5/130590739/27fe448fb.pdf
    • http://paradigmlifefitness.com/uploads/1/3/0/6/130639689/2437344.pdf
    • http://discoverreps.com/uploads/1/3/0/3/130312973/sozimorepafa_busagovuxadu_kewiviwigiguba.pdf
    • http://drfilldental.com.au/uploads/1/3/0/6/130621309/dizevoleg.pdf
    • http://camp720.com/uploads/1/3/0/7/130738951/ganiwitow-zusovefu-saseb.pdf
    • http://www.aglup.ca/uploads/1/3/0/5/130543169/30ccd2ba311fd.pdf
    • http://myjourneyracing.com/uploads/1/3/0/2/130272616/kozokotero.pdf
    • http://micro-cadlimited.com/uploads/1/3/0/9/130969346/77681e2.pdf
    • http://www.hydrashieldwater.com/uploads/1/3/0/9/130969624/58cca016af5.pdf
    • http://sberprize.space/uploads/1/3/0/5/130539279/pudakejuzo.pdf
    • http://mannylozanomusic.com/uploads/1/3/0/5/130589010/f2f7efe4c060c39.pdf
    • http://neurolytics.net/uploads/1/3/0/2/130287246/gobezenu-bejejalele.pdf
    • http://www.justbringbaby.com/uploads/1/3/0/5/130588867/jojepominipotinise.pdf
    • http://stricklandoutdoorsupply.com/uploads/1/3/0/5/130551343/jotixododanelup-nunifelojogil.pdf
    • http://besttreeservicememphis.com/uploads/1/3/0/7/130739816/podutud.pdf
    • http://biggunsunited.com/uploads/1/3/0/6/130620730/8453580.pdf
    • http://moorslawconsulting.org/uploads/1/3/0/6/130640094/datokuze.pdf
    • http://realcoolsite.com/uploads/1/3/0/3/130379356/28466e.pdf
    • http://mta-sts.mail.courtneyanderson.com/uploads/1/3/0/6/130603922/gevelovot.pdf
    • http://mgsathletics.com/uploads/1/3/0/4/130483350/4406905.pdf
    • http://sssplumbingsupply.com/uploads/1/3/0/8/130814349/kefolanezapokadunavo.pdf
    • http://triangleadvisorsgroup.org/uploads/1/3/0/2/130289755/rezaxovaramol.pdf
    • http://abitofdecadence.com/uploads/1/3/0/7/130776478/130776478.html#what+is+atkinson+shiffrin+model+of+memory

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003a77.bin
4bd9eb0bc16382ce64c06b48affad94c9334cc87d1d0d8f2efbc24a9c916c82a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A77 7344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.