Malicious PDF — malware analysis report

Static analysis result for SHA-256 87a22729f40f1853…

MALICIOUS

PDF

32.5 KB Authoring application: LibreOffice
MD5: 99d85cf7aa4cd964f2c437c41a8e9ad8 SHA-1: e0f16f5d1aab79f0feaf3513685381d2230ee153 SHA-256: 87a22729f40f185359d639e79592d6ed313c7074f85ea5b8b836f90c85f50383
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The PDF file contains a large number of embedded external URLs, identified by the 'PDF_SEO_LINK_FARM' heuristic. These URLs point to other PDF files hosted on various domains, suggesting a link farm or a distribution mechanism for further malicious content. The ClamAV detection and ML classifier further support its malicious nature, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://crafttherapy.net/uploads/1/3/0/7/130775220/3043883.pdf
    • http://nakomahomesandland.com/uploads/1/3/0/4/130491079/6189488.pdf
    • http://writerswithroomtobloom.com/uploads/1/3/0/6/130620800/wetirub-morijoxul-vupatogozu-leruvoxudobe.pdf
    • http://kennyandtina.com/uploads/1/3/0/5/130551310/8535576.pdf
    • http://nwrealtybrokers.com/uploads/1/3/0/5/130588165/gikenodol-fipug.pdf
    • http://caraboawards.com/uploads/1/3/0/6/130639398/4081297.pdf
    • http://michelsunlee.com/uploads/1/3/0/8/130874130/wiwesisofazuzavekinu.pdf
    • http://flintmage.com/uploads/1/3/0/2/130288379/maresevigematibow.pdf
    • http://www.firearmstrainingservices.com/uploads/1/3/0/4/130483443/4197125.pdf
    • http://ssgesports.com/uploads/1/3/0/7/130739713/lugodabija.pdf
    • http://cnxile.com.aqb.so/uploads/1/3/0/8/130814122/7650679.pdf
    • http://medcem.org/uploads/1/3/0/2/130271165/tiwubi.pdf
    • http://goodkidbook.com/uploads/1/3/0/8/130874094/dbe6b3cfce4551.pdf
    • http://microblading-amsterdam.com/uploads/1/3/0/5/130589339/563185256.pdf
    • http://synapse-productions.com/uploads/1/3/0/2/130289603/vorininusudonupisaw.pdf
    • http://jessicastameyshairbydesign.com/uploads/1/3/0/7/130739590/e2331172f8e49ea.pdf
    • http://catamaranadastra.com/uploads/1/3/0/2/130288557/mimulovo-kulisinixuxe-lagubuxa-xufibat.pdf
    • http://todayinba.com/uploads/1/3/0/4/130478307/78dff.pdf
    • http://adrenal14.pleasingfood.com/uploads/1/3/0/7/130775916/130775916.html#spectrum+reading+comprehension+grade+3

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000023a7.bin
54226affdbab056cd78c152f6612bc84c9319c2f5570b6965ce20d99260ebfc7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23A7 6888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.