Malicious PDF — malware analysis report

Static analysis result for SHA-256 6cb086b66128d14d…

MALICIOUS

PDF

45.5 KB Authoring application: OpenOffice Draw
MD5: 39dbc693287d4b4c78dfafb1d15f4ae2 SHA-1: 7d213d10f2245609fd85b97e4dbb6b79b2037b36 SHA-256: 6cb086b66128d14daa3d012ffb6f2c0beb2bcb7ae11ba8ef055902e48148bafc
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded URLs pointing to external PDF documents, as detected by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to manipulate search engine results or distribute additional malicious content. The ClamAV detection and ML classifier further support its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall. No scripts were extracted from this sample, and the document body was heavily obfuscated and truncated, preventing a deeper analysis of its specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://accountinghoustontexas.com/uploads/1/3/0/5/130552016/1780464.pdf
    • http://buygreatpot.com/uploads/1/3/0/4/130488412/49fa9086f9.pdf
    • http://northshorelemonade.com/uploads/1/3/0/8/130814785/tonisejodekovebek.pdf
    • http://realorlando.net/uploads/1/3/0/2/130289205/gitiwe.pdf
    • http://chronicwellnessexpert.org/uploads/1/3/0/8/130814423/wigex.pdf
    • http://mn-servicellc.com/uploads/1/3/0/7/130739416/mapeto.pdf
    • http://bataviagameon.com/uploads/1/3/0/5/130550970/duzomino-wobexe-xubatipelop-womiwoj.pdf
    • http://orangeparktreeservice.com/uploads/1/3/0/3/130379096/zezitujebigoketax.pdf
    • http://metavoia.com/uploads/1/3/0/2/130271209/jadeturarazamaka.pdf
    • http://philadelphon.org/uploads/1/3/0/6/130621765/nakubupel.pdf
    • http://nomadel.com/uploads/1/3/0/7/130738712/jumujasa.pdf
    • http://www.phoenixhelitraining.com/uploads/1/3/0/7/130739910/jugetu_misuxejibasolaj_lepepudaja_pakizekuze.pdf
    • http://bewellmindset.org/uploads/1/3/0/7/130739619/4758594.pdf
    • http://saigonapartmentcenter.com/uploads/1/3/0/2/130287246/sefobo_kinap_jituguwebi_zenefenig.pdf
    • http://mordecaimatters.com/uploads/1/3/0/5/130542773/zutuzilu-fefuved.pdf
    • http://mysifortenbery.com/uploads/1/3/0/6/130620222/1826596.pdf
    • http://74-123-72-229.mgwnet.com/uploads/1/3/0/6/130639173/130639173.html#polar+form+to+rectangular+form+casio
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003081.bin
5a12e849165775d4d518e50555f522ef32167a1679042558a86d29f032a0a734		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3081 3348 bytes
font_01_sfnt_off00003b42.bin
eb3eb75404dce3ff5138856fdb64036719bdd557a5f8c062583c2614eddde746		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B42 16072 bytes
font_02_sfnt_off0000530e.bin
54d65099f86ee50188614e8b8f85ce61cc95958d8a386c7fec3ec329b2240901		 pdf-font-stream PDF embedded font (sfnt) at offset 0x530E 8884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.