Malicious PDF — malware analysis report

Static analysis result for SHA-256 721edfd9863323a2…

MALICIOUS

PDF

35.3 KB Authoring application: OpenOffice Draw
MD5: 194f0b573258c0f32aebccac81b400a6 SHA-1: d138ce55fe3669c68ffa4638d24ff98019d05bfd SHA-256: 721edfd9863323a28e23c0f0d3c3cf70075332346b43a510025de851d2bd9a13
232 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of embedded URLs, suggesting it is part of a link farm designed for SEO manipulation or to host malicious content. Heuristics indicate social engineering lures, specifically instructing the user to copy and paste commands into a shell, a tactic often used to bypass macro restrictions and download further payloads. The ML classifier and ClamAV detection strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fbcmonroeville.com/uploads/1/3/0/2/130288579/1194358.pdf
    • http://ptmwc.org/uploads/1/3/0/4/130477085/nenadunolurumema.pdf
    • http://werkthatbooth.com/uploads/1/3/0/3/130313218/eb9f6e1f9.pdf
    • http://www.customequestrianproducts.com/uploads/1/3/0/7/130739764/951bd02c0694960.pdf
    • http://mydrwalker.com/uploads/1/3/0/6/130621047/7000621.pdf
    • http://www.elitewebservices.co.uk/uploads/1/3/0/2/130272575/xisuvuzope.pdf
    • http://triangulate.us/uploads/1/3/0/3/130312974/tejarozimuno-ziwasavepejigi.pdf
    • http://zbfit.online/uploads/1/3/0/5/130551907/nezonusi_kexumev_wudew_pufadobuw.pdf
    • http://theminimalistcreator.com/uploads/1/3/0/6/130639540/tubekeranoneki.pdf
    • http://velvetbathtime.com/uploads/1/3/0/6/130604520/lojutatikut.pdf
    • http://mx.porthackinglac.com/uploads/1/3/0/6/130604363/vedujox-lobutuni-dugebevefiloj.pdf
    • http://www.erpconsulting.org/uploads/1/3/0/5/130538956/5733900.pdf
    • http://snackopedia.com/uploads/1/3/0/7/130775907/jaxajuvowuj_tobifenalimeve_sexapojuso_jizabo.pdf
    • http://celestialinspirationsstore.com/uploads/1/3/0/5/130540926/walisan-nogezatazo.pdf
    • http://yournatureislove.com/uploads/1/3/0/5/130542977/tanaje_kejaxilox_xowime_farediluponigot.pdf
    • http://sales12-sip-phone.pleasingfood.com/uploads/1/3/0/4/130435500/130435500.html#belajar+edit+video+dengan+adobe+premiere+pro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e59.bin
74d4feb46a1bb427c585dcd44d8791db0eb621e444fbbd6f9f5a662e4e4b242e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E59 8040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.