Malicious PDF — malware analysis report

Static analysis result for SHA-256 69fe694a45b991a0…

MALICIOUS

PDF

44.1 KB Authoring application: LibreOffice
MD5: 4a12ac4c532a3fe3f4229705e15de067 SHA-1: 145c10c99739f31308f88881ef55c388fb61e12b SHA-256: 69fe694a45b991a0c53138a266d68ef53b584e5c04031a1e7f31ec7aa37de97c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic, which is a common technique for distributing malicious content or leading users to phishing sites. The ClamAV detection and ML classifier further support its malicious nature. While no scripts were explicitly extracted, the presence of numerous external links suggests an intent to redirect the user to a malicious second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mjbjacobs.com/uploads/1/3/0/6/130603827/4381450.pdf
    • http://www.0frenchpolishing.com/uploads/1/3/0/6/130620792/zojoloj.pdf
    • http://ranfordelectricalservices.com/uploads/1/3/0/8/130813582/vopureparaf-fixifevewisu.pdf
    • http://electricianmartincounty.com/uploads/1/3/0/6/130620690/6588702.pdf
    • http://newenglandemmys.com/uploads/1/3/0/2/130272319/mepexawuj_keluririzixi_fetoxekuj_tovagefujutudiz.pdf
    • http://credo.news/uploads/1/3/0/6/130639763/2894697.pdf
    • http://contractlawtraining.com/uploads/1/3/0/7/130738835/lerur.pdf
    • http://www.superiormarketing.services/uploads/1/3/0/2/130288364/7ce7ae239a321.pdf
    • http://mercyscleaningservices.com/uploads/1/3/0/7/130776401/3232669.pdf
    • http://nmpstag.com/uploads/1/3/0/7/130776330/modanobikenumab.pdf
    • http://melindamiguel.com/uploads/1/3/0/4/130436182/9b36a.pdf
    • http://fourleafsurgical.com/uploads/1/3/0/6/130620441/2068523.pdf
    • http://eaglespridervspacecoast.com/uploads/1/3/0/2/130272862/2794349.pdf
    • http://simplerstrikeoff.co.uk/uploads/1/3/0/3/130312971/fadufavonezememu.pdf
    • http://stevenrobinsonmusic.com/uploads/1/3/0/7/130739379/dumegovo.pdf
    • http://kangxingroup.com/uploads/1/3/0/2/130289549/xobamajuxelesodow.pdf
    • http://torontogreekdj.com/uploads/1/3/0/7/130739928/0593efd210.pdf
    • http://juridicorapido.com/uploads/1/3/0/7/130740438/f7f44fa845.pdf
    • http://paradiseuganda.net/uploads/1/3/0/5/130589216/143eab18d.pdf
    • http://q5u5v.bpmtc.com/uploads/1/3/0/7/130775247/130775247.html#tefal+hot+air+fryer+reviews

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b9d.bin
13f3e7f43fed9b25917f075df4f40d4c63333e25e6ea0da62195256b368582b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B9D 8908 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.