Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f787b42d0306346…

MALICIOUS

PDF

39.3 KB Authoring application: LibreOffice Draw
MD5: 23b345746d82c8c9940a71e886603196 SHA-1: 24212d044a4a1c0a919c0ff08535b7d29d9927d2 SHA-256: 7f787b42d0306346bd2e799866aeae304629041baa0f6e40a0e2f9b38718cf7c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute malicious content. ClamAV identified this as Pdf.Phishing.TtraffRobotInstall, and an ML classifier also flagged it as malicious. The document body appears to be corrupted or obfuscated, preventing a clear understanding of its direct user-facing purpose beyond the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://myoptimalhealthylife.com/uploads/1/3/0/5/130589345/gadigiwesedamopuvi.pdf
    • http://axesatmobility.net/uploads/1/3/0/3/130379078/1216661.pdf
    • http://anewyoubeauty.co.nz/uploads/1/3/0/6/130621524/5486738.pdf
    • http://sparksnewstoday.com/uploads/1/3/0/8/130814129/8250763.pdf
    • http://der-atemraum.com/uploads/1/3/0/2/130270895/dukadefa_gogoxomozot.pdf
    • http://rgtarizona.net/uploads/1/3/0/2/130272985/9159399.pdf
    • http://lucaffebolivia.com/uploads/1/3/0/7/130776428/6662928.pdf
    • http://robynchang.com/uploads/1/3/0/3/130324340/2597ea99a8f.pdf
    • http://brooklynbiscuittortoni.com/uploads/1/3/0/5/130588850/5214517.pdf
    • http://www.holmeslandscapes.net/uploads/1/3/0/7/130739577/8539179.pdf
    • http://edumont.com/uploads/1/3/0/2/130274166/91530be7370d.pdf
    • http://it-alaska.com/uploads/1/3/0/5/130550712/nugizim.pdf
    • http://pholi.net/uploads/1/3/0/6/130605420/23220.pdf
    • http://nightowlsoulclubs.com/uploads/1/3/0/7/130775939/tujele.pdf
    • http://replicatorsystems.com/uploads/1/3/0/3/130323633/kufatinegudorasotobo.pdf
    • http://walkiesnairn.co.uk/uploads/1/3/0/7/130775635/1871685.pdf
    • http://nordicatravel.net/uploads/1/3/0/6/130604113/7375864.pdf
    • http://andaveycrea.com/uploads/1/3/0/5/130551876/gufula.pdf
    • http://zo2yd.slpny.com/uploads/1/3/0/3/130323817/130323817.html#bluebeam+how+to+edit+pdf+text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003d9f.bin
cd13a792c9c6738e1ae9852ce2fc0be6bc183271eddb5b4f29e0e77eebc7289f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D9F 7584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.