Malicious PDF — malware analysis report

Static analysis result for SHA-256 7a7e0d592c7416f1…

MALICIOUS

PDF

48.9 KB Authoring application: OpenOffice Draw
MD5: 6b4ee25360a4d37c27780562cabc6043 SHA-1: 16cbc6da763a0f8719b086827037c0482cc967d5 SHA-256: 7a7e0d592c7416f117a55b4f2c6e7551ae8c9c38ce983ca0bdc945663edf9b75
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many with numeric slugs, indicative of a link farm designed to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly suggest malicious intent. Although no scripts were explicitly extracted, the presence of embedded URLs and the heuristic 'PDF_SEO_LINK_FARM' indicate that this document is likely part of a phishing or malware distribution campaign, potentially using JavaScript for exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blakekile.com/uploads/1/3/0/2/130271076/guwakopatet-lasisejif.pdf
    • http://becomeamedicareagent.com/uploads/1/3/0/5/130588487/kajid.pdf
    • http://mhr-international.eu/uploads/1/3/0/2/130270971/1a67dbbad1f5c.pdf
    • http://meteringireland.com/uploads/1/3/0/9/130969991/gozona_tafabugesurefur_jojeragadurukob_xikazafog.pdf
    • http://rachelmcoburn.com/uploads/1/3/0/7/130776858/57e9ce4240d7df.pdf
    • http://mywindowfarms.com/uploads/1/3/0/6/130639408/5725420.pdf
    • http://ricksmachineshop.net/uploads/1/3/0/5/130588956/b8876fc2.pdf
    • http://morglosec.com/uploads/1/3/0/2/130291572/1dacf1b01e7063.pdf
    • http://ask4jenni.com/uploads/1/3/0/6/130639689/konejinimisitezeze.pdf
    • http://wiggledevil.com/uploads/1/3/0/2/130271224/3de3255b6ef4.pdf
    • http://technical-recruiter.net/uploads/1/3/0/5/130539111/sulevexogunido-fuvagojojokemag-fuwejuninod-fofepetagesun.pdf
    • http://jenzdivinedesigns.com/uploads/1/3/0/3/130323100/midekokol_luzomapunewotu_dikofed.pdf
    • http://themanbouquet.com/uploads/1/3/0/5/130589080/7799112.pdf
    • http://greenchicbeauty.com/uploads/1/3/0/7/130776056/gumimojelawive-wonujes-denoda.pdf
    • http://octoberhuntreptiles.com/uploads/1/3/0/6/130621362/28c80f566f553.pdf
    • http://mspokrantsband.ca/uploads/1/3/0/2/130270936/7625685.pdf
    • http://portableoxygen.us/uploads/1/3/0/5/130590462/6259477.pdf
    • http://nicelittleearner.co/uploads/1/3/0/4/130476068/fadinekot_jakabesa_rilusowozu_kajekudumepibun.pdf
    • http://cognitiverehabilitation.org/uploads/1/3/0/6/130620437/begodomejatexilip.pdf
    • http://msgrp.us/uploads/1/3/0/5/130543539/tumaxijegidusot.pdf
    • http://testpages.online/uploads/1/3/0/5/130542934/dimozaleren.pdf
    • http://mvsexcavation.com/uploads/1/3/0/7/130775712/vutusoxuki.pdf
    • http://contentment.one/uploads/1/3/0/7/130740623/88ad6ca5d974e78.pdf
    • http://katherinesiu.com/uploads/1/3/0/2/130289692/6279197.pdf
    • http://slaten-wedding.rominastiebenphotography.com/uploads/1/3/0/6/130604574/130604574.html#alt+code+for+check+mark+in+excel+2010
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000423a.bin
d04847e227487262e06b90921042edcca09e2580070145dac1c0a990b4fd34ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x423A 16252 bytes
font_01_sfnt_off00005a88.bin
150f2f4144badb8d388b63f036768905612705abe83c4e2a08283083a943811a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A88 8468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.