Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ae9fbd4387c3a26…

MALICIOUS

PDF

84.3 KB Authoring application: OpenOffice.org
MD5: 6ef30414ad3fcdb565783e168a179361 SHA-1: 6eda368af6a0fee4d379d87a189d74f2713b7ebb SHA-256: 6ae9fbd4387c3a261efa0b90fd878cc6f6440820e3e4718829d5722dfee6ba59
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. No scripts were extracted, but the sheer volume of external links suggests a campaign to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://arkansaspropertymaintenance.com/uploads/1/3/0/2/130289225/sotowurexuxe-wakoset-kijaruzipix.pdf
    • http://monicasscarfs.com/uploads/1/3/0/5/130544131/meruxujusaza_mojogelava_vokiwujotel_rafaxuzurimo.pdf
    • http://jjsholdings.net/uploads/1/3/0/5/130544243/jotufiku_legapege_fozebunedajav.pdf
    • http://conceptsinneuroscience.com/uploads/1/3/0/8/130813796/xosoliz.pdf
    • http://www.moneyoffyourfeet.com/uploads/1/3/0/4/130436049/1268695.pdf
    • http://millionairesclub.biz/uploads/1/3/0/5/130551129/nojosokabunavo-tavetobowo-bilanivolosuxoj.pdf
    • http://calyculin.com/uploads/1/3/0/4/130489475/nafigazij.pdf
    • http://sunnyonthemic.com/uploads/1/3/0/5/130551351/642863.pdf
    • http://darklabs.co/uploads/1/3/0/2/130270990/legubonitizot.pdf
    • http://printcopydisplays.com/uploads/1/3/0/6/130620587/1577457.pdf
    • http://larryhansen.net/uploads/1/3/0/2/130270873/lajagutawifajawipuf.pdf
    • http://myteamnavigate.com/uploads/1/3/0/7/130775545/dolamutiwaguw_gixud.pdf
    • http://thedreamslab.agency/uploads/1/3/0/7/130738650/kakisifoxa-rolewuvim-xuzafuz.pdf
    • http://jinyu.us/uploads/1/3/0/8/130814341/8514404.pdf
    • http://rimavop.store/uploads/1/3/0/5/130544086/e78c851.pdf
    • http://thelazyrussian.com/uploads/1/3/0/2/130287513/lokiwupi.pdf
    • http://debbieelliswatercolours.com/uploads/1/3/0/6/130621502/zagoderumukuj.pdf
    • http://bicyclexplorers.com/uploads/1/3/0/6/130605341/d342ddf8363.pdf
    • http://mconrad.me/uploads/1/3/0/4/130490328/koxelirupa.pdf
    • http://webdisk.jennifermannauthor.com/uploads/1/3/0/6/130640225/130640225.html#alice+in+wonderland+original+manuscript+pdf
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000041a1.bin
43f96ca5596d42651626a593fba5e719d28ad81232e5ebf74be8539b3ca86977		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41A1 11708 bytes
font_01_sfnt_off00010b0c.bin
a2bc39c107693ee7ed457f215cd0fad5d3adac8cd1e07908cfeba8447e6a9b6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B0C 4992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.