Malicious PDF — malware analysis report

Static analysis result for SHA-256 750acd4afcc8aaa4…

MALICIOUS

PDF

36.8 KB Authoring application: OpenOffice Draw
MD5: 7e6c7ef901985d21a8eb3826cca6b2b7 SHA-1: 13efa92a1347abb86819f8ab4ff063ae15e651b6 SHA-256: 750acd4afcc8aaa409abc52b8d07f3fcf2cb8c1a0e1823071911b4c22a040b2b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, as detected by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on numerous domains, suggesting a coordinated effort to distribute content or manipulate search engine results. The ML classifier and ClamAV detection further support the malicious nature of this file, flagging it as phishing-related. No scripts were extracted, and the document body was heavily obfuscated and truncated, preventing a deeper analysis of its specific intent beyond link distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ditazolun.weebly.com/uploads/1/3/0/2/130289386/vitizopit.pdf
    • http://silexor.solomonka.online/uploads/2020/01/27/42c1a1245.pdf
    • http://dug.copyrightcontact-10000671253681.com/uploads/2020/01/28/ebdeef16f9ae04.pdf
    • https://dorawufufesa.weebly.com/uploads/1/3/0/2/130274282/fikegatipa_jimikumeribuvu_nizumiromusibo_saketuki.pdf
    • http://sibawexar.3ndfl-nalogi.ru/uploads/2020/01/27/fepatoninus_vabuzi_temoledij_lomekofefodajak.pdf
    • http://geweka.ib-airbank.mobi/uploads/2020/01/27/sodepibifu-jeliwaxewe-farugun.pdf
    • http://probiu.pro/uploads/2020/01/27/novibom.pdf
    • https://nolofaladigonad.weebly.com/uploads/1/3/0/3/130323959/xedeja-rowaxude-wutej-pijadosikekebed.pdf
    • http://teju.miradorbascamao.com/uploads/2020/01/28/e3a38f9fc0.pdf
    • https://sibizojun.weebly.com/uploads/1/3/0/5/130542863/ee00cb86a.pdf
    • http://guxadurek.goodbreak.ru/uploads/2020/01/28/3860589.pdf
    • http://vekeb.imperium.bz/uploads/2020/01/28/jalezezoragobenufote.pdf
    • https://resemaxolin.weebly.com/uploads/1/3/0/2/130288565/wigoxetoxilawe.pdf
    • http://sefobelu.supletivolitoral.com/uploads/2020/01/27/xokufos.pdf
    • http://vunigakul.camby.ru/uploads/2020/01/28/6047739.pdf
    • http://padiruzike.vipdating.icu/uploads/2020/01/28/kanagokude.pdf
    • https://rowolokogugi.weebly.com/uploads/1/3/0/3/130323131/powujoxirurazul.pdf
    • http://jeka.vipiski-online29.icu/uploads/2020/01/28/sezemelasopopujuxile.pdf
    • https://morarafaf.weebly.com/uploads/1/3/0/5/130590224/130590224.html#niosh+respirable+dust+standard

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001581.bin
440e50b9d45ff955700c2b537073a39d766409bdd2ed25896949fbce101b3d19		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1581 7760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.