Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bf3847f533a9bef…

MALICIOUS

PDF

45.6 KB Authoring application: OpenOffice Draw
MD5: f476b37cc28733afcb1b7053bb0d654e SHA-1: 76499acb5a317236eeaaefd1c26cba79463758b3 SHA-256: 6bf3847f533a9bef4ec7ef9a31c37829b46f8e2d9bcfea464afa4eed4ce2c6f8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier's high confidence score further support its malicious nature. While no scripts were explicitly extracted, the presence of numerous external links suggests a potential for further malicious activity or redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lynalen.com/uploads/1/3/0/7/130738661/1735069.pdf
    • http://beijingshinryukan.com/uploads/1/3/0/3/130323697/jimevasazenoben-zenumizakipan-tilamamiw-duduzogijema.pdf
    • http://centreformindfulness.ca/uploads/1/3/0/5/130589126/jolilebelis.pdf
    • http://muscleeasy.com/uploads/1/3/0/5/130539657/lotaturisafopadobu.pdf
    • http://performanceinc.club/uploads/1/3/0/6/130620690/8489559.pdf
    • http://handheldnation.com/uploads/1/3/0/4/130477455/nufoka_pumim_melogajej.pdf
    • http://colddiamnd.com/uploads/1/3/0/7/130776485/130776485.html#create+2019+calendar+in+google+sheets
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a8.bin
89bb7bad4c26e8586149eee6a05d21fc8096f3fe7c541277cab9e3c25846e1d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A8 9124 bytes
font_01_sfnt_off00006fdb.bin
63f5e27ee3d24cc00d413e59c301cc73ab377383609796993547673f2bea898c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FDB 2600 bytes
font_02_sfnt_off00007852.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7852 1708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.