Malicious PDF — malware analysis report

Static analysis result for SHA-256 7224603c70cb4f28…

MALICIOUS

PDF

58.9 KB Authoring application: LibreOffice
MD5: 2751523cadb38a22539113857699f559 SHA-1: 6dd7529f3e1d93e7da6796a7a9c19bb9f93c4500 SHA-256: 7224603c70cb4f287a69e053f09b5a82e60b3ae22fc182f6501cf89abcadfb98
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, which are designed to redirect users to external PDF files. The ClamAV detection and ML classifier further support its malicious nature. The embedded URLs likely serve as a distribution mechanism for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://exportme.co.nz/uploads/1/3/0/5/130588295/xolugijuruzafaw.pdf
    • http://webmail.littlecreekfarmllc.com/uploads/1/3/0/4/130483389/tuvaju-vuvozo-fapuxogixagine.pdf
    • http://marcoantoniopatrizio.com/uploads/1/3/0/3/130323155/vunutitatobibop_dibedinidu_pikazafex.pdf
    • http://kicknsweet.com/uploads/1/3/0/4/130483351/botiv.pdf
    • http://separate.clothing/uploads/1/3/0/7/130739233/7514247.pdf
    • http://mysebgroup.com/uploads/1/3/0/4/130436166/pojudope.pdf
    • http://desertside.com/uploads/1/3/0/6/130621462/390809.pdf
    • http://urbnmnky.ca/uploads/1/3/0/6/130604522/0866a02d94c.pdf
    • http://consortiaservices.com/uploads/1/3/0/8/130813992/benagurujes.pdf
    • http://myhealthysunshine.com/uploads/1/3/0/2/130272648/9467528.pdf
    • http://yayoly.com/uploads/1/3/0/2/130270855/fafunekez_gevixiboje_dijas_tazemilofotef.pdf
    • http://www.jeremyfultz.com/uploads/1/3/0/6/130621997/8b873d1c.pdf
    • http://myecns.com/uploads/1/3/0/2/130289296/4471383.pdf
    • http://moonlightairfoundation.org/uploads/1/3/0/5/130550703/sugokoto_mokub_sifax.pdf
    • http://ayeshadavar.com/uploads/1/3/0/5/130550713/2592384.pdf
    • http://ingenacel.com/uploads/1/3/0/7/130776175/7d58fdcbdebd174.pdf
    • http://oasisgaminginc.com/uploads/1/3/0/2/130289236/mafelosi_nasisuvab.pdf
    • http://oceanviewchristian.com/uploads/1/3/0/7/130776715/1679647.pdf
    • http://youshimehaozhuanqiandewangluoyouxi.br3h.com/uploads/1/3/0/6/130620848/130620848.html#pan+africanism+and+apartheid+in+south+africa

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000147c.bin
d3fd563b192fdf40afe40f23f889521d52a1d5a0869169fb1912d1a67a73b8f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x147C 9180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.