Malicious PDF — malware analysis report

Static analysis result for SHA-256 6de23375d1142ac2…

MALICIOUS

PDF

39.4 KB Authoring application: OpenOffice Draw
MD5: 5c38bd538453c633799e5d3da23743d7 SHA-1: 0508b81b4d52991acc42a10daf0435c0616b59c7 SHA-256: 6de23375d1142ac266e488c4a4f15efd6284ac4320fe2bd9c2d897c45a953e82
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs, masquerading as movie download links, which is indicative of a phishing or malware distribution scheme. The ClamAV detection and ML classifier strongly suggest malicious intent, likely to redirect users to malicious sites or download further payloads. The heuristic PDF_SEO_LINK_FARM indicates a mass external PDF link farm, further supporting the distribution of malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ncslibrary.org/uploads/1/3/0/6/130604081/78b9741f58.pdf
    • http://rosepunch.com/uploads/1/3/0/5/130589312/8418074.pdf
    • http://labcharter-pto.com/uploads/1/3/0/7/130740127/6664301.pdf
    • http://palmsecurityservices.com/uploads/1/3/0/4/130436337/vegama_mezisaliminob_nodateso.pdf
    • http://mrstinabullteacher.com/uploads/1/3/0/6/130639077/4f3461e00d.pdf
    • http://mgtowtv.com/uploads/1/3/0/2/130291822/tagas.pdf
    • http://rjmlandscaping.info/uploads/1/3/0/6/130621591/pinezukop_sasadufo_makimoji.pdf
    • http://newyearswim.co.uk/uploads/1/3/0/4/130435602/9182833b543b92.pdf
    • http://mrstodd.net/uploads/1/3/0/5/130588708/5391537.pdf
    • http://albuquerquemobilenotary.com/uploads/1/3/0/4/130435835/7397358.pdf
    • http://northeastmaterials.com/uploads/1/3/0/5/130551179/6332678.pdf
    • http://reboundat.com/uploads/1/3/0/4/130488228/130488228.html#cinema+paradiso+full+movie++720p

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000138a.bin
344e68368b9624b7658f4db55762c8d40f683923b2591944475b5f543804af72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x138A 10500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.