Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bc3a9afb64b42be…

MALICIOUS

PDF

42.5 KB Authoring application: OpenOffice Draw
MD5: d47ccaddb6603f97359fa9ca704d5914 SHA-1: 6907711292ca8686d6ce5416fc1c86de930a096b SHA-256: 8bc3a9afb64b42be465f241214fc0670c0122e1dff2ae3c025617991d9e38f75
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs point to domains that appear to be part of a link farm, likely serving as a lure for phishing or to distribute further malware. The document body text, while containing seemingly innocuous phrases, is likely a distraction or part of the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://discountcannadelivery.com/uploads/1/3/0/6/130620604/7039069.pdf
    • http://nandamay.com/uploads/1/3/0/6/130639055/fimamudaju.pdf
    • http://scupstateparalegals.org/uploads/1/3/0/6/130604069/632c5c1c5680247.pdf
    • http://colddiamnd.com/uploads/1/3/0/6/130621033/130621033.html#aer+lingus+information+desk+dublin+airport

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f99.bin
fa58618233b6636fc81c94b46cc24c3977af266283d54715219697b414c6785c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF99 7640 bytes
font_01_sfnt_off00005f70.bin
322701f1f7ce52f1e2c270a0bb3090cbbccd2613e2548c816e08e746c3346379		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F70 16344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.