Malicious PDF — malware analysis report

Static analysis result for SHA-256 721dc3d332039fbe…

MALICIOUS

PDF

37.3 KB Authoring application: OpenOffice.org
MD5: 16b189d551a4b9994e40b7a5df0f8cd4 SHA-1: f97d69dd6efa8242a7c38d37d5dbca40ae9c4055 SHA-256: 721dc3d332039fbe486d9d7475a741bacbc4ae1893d598d6e6af00dcfb2c36a7
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF was flagged by multiple heuristics, including a critical rule for a large external PDF link farm and a ClamAV detection for phishing. The embedded URLs suggest an attempt to redirect users to potentially malicious content hosted on external sites. The document body contains garbled text, indicating it is not intended for direct user consumption but rather as a container for these links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://invictafirstaid.org/uploads/1/3/0/5/130540266/641d409.pdf
    • http://minimalwaste.net/uploads/1/3/0/6/130621622/tavetupubato.pdf
    • http://letuscall.net/uploads/1/3/0/5/130590219/nikekomig_lejesazotowu_kinesus.pdf
    • http://iowahomesteaderarts.com/uploads/1/3/0/5/130588349/lopabegudodupulupez.pdf
    • http://betstreamsp.com/uploads/1/3/0/2/130273798/2e3597.pdf
    • http://saari-ksa.com/uploads/1/3/0/5/130538836/povabelo.pdf
    • http://misbailes.com/uploads/1/3/0/4/130476272/lebameke.pdf
    • http://007bondband.com/uploads/1/3/0/2/130272319/5352928.pdf
    • http://artsmatter.org/uploads/1/3/0/9/130969238/6444861.pdf
    • http://devinandjessica.com/uploads/1/3/0/8/130874031/levaraj.pdf
    • http://mspoolebiology.com/uploads/1/3/0/5/130550936/fb788887.pdf
    • http://kwakuandshokha.com/uploads/1/3/0/6/130639913/xugojitigo.pdf
    • http://lead-start.com/uploads/1/3/0/4/130476984/785476.pdf
    • http://opensourceaudio.org/uploads/1/3/0/6/130605344/sekobawuwavadi.pdf
    • http://merkabaonecollection.com/uploads/1/3/0/7/130775413/795390.pdf
    • http://omgcharts.com/uploads/1/3/0/6/130604882/vabekikuv_sivikixuzigado_bakefupigikuxuf.pdf
    • http://acemenus.com/uploads/1/3/0/7/130740217/9b2412a8c48dcf5.pdf
    • http://merchantsac.net/uploads/1/3/0/6/130603744/1957773.pdf
    • http://timeporters.net/uploads/1/3/0/6/130639173/bee22e.pdf
    • http://sharpelaw.com.sg/uploads/1/3/0/3/130323932/6473178.pdf
    • http://ht.sondrafinancialservicesllc.com/uploads/1/3/0/5/130589220/130589220.html#%2Fbin%2Fsh+adb+command+not+found+mac
    • http://regionc.swe.org/uploads/1/3/0/8/130813526/xujugudo.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000303f.bin
722c04f0e83e48356ce6e006c44522b291904ac3b8036ae15a8a67272bb8804e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x303F 8392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.