Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bd8cb73d3b262b4…

MALICIOUS

PDF

41.6 KB Authoring application: OpenOffice.org
MD5: 994fbf773c96842b796362165e6aec3d SHA-1: 03bd05b482fdb13ec4292fdc0ce6a64f29b0dd32 SHA-256: 8bd8cb73d3b262b4af981a11db0a9e5ae368a5887f07d3e74981342b2fc362b6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics, including a critical finding for a link farm and a machine learning model indicating high maliciousness. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports its malicious nature. The document body contains numerous URLs pointing to external PDF files, suggesting a phishing or malware distribution campaign. The primary IOC is the first identified URL, which is part of the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://auroaustria.com/uploads/1/3/0/5/130551351/kosetafemeted_gojebivol_mizufibalib_tumutuz.pdf
    • https://debesejod.weebly.com/uploads/1/3/0/5/130541000/defoku_vowel.pdf
    • http://pawsforthought.net/uploads/1/3/0/4/130483303/2650536.pdf
    • http://jimu.zayavka-na-kredit.com/uploads/2020/01/27/bemifabesebopufogofe.pdf
    • http://raganiv.serovatextile.ru/uploads/2020/01/28/d88f346f3c.pdf
    • http://tkd-cska.ru/uploads/2020/01/29/3121724.pdf
    • http://rakatofiw.artpicture.pro/uploads/2020/01/28/fozetikikiseponitega.pdf
    • http://bor.copyrightcontact-1000006412512.com/uploads/2020/01/29/nudowu.pdf
    • https://maguniside.weebly.com/uploads/1/3/0/2/130289803/parokidotajivelasev.pdf
    • http://pupovo.pnptogo.com/uploads/2020/01/29/f2a22.pdf
    • https://fufafoxavu.weebly.com/uploads/1/3/0/5/130543346/641c95151d4e.pdf
    • http://borderarte.com/uploads/1/3/0/4/130489080/petejaretuj.pdf
    • http://meses.festivalweer.com/uploads/2020/01/29/tobodalosixideb.pdf
    • https://pesokotagu.weebly.com/uploads/1/3/0/5/130543663/vomijupakudojub.pdf
    • http://kcbevco.com/uploads/1/3/0/4/130483086/130483086.html#fractional+distillation+of+crude+oil+worksheet

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013de.bin
72d565f5c5c3bc665cdbb300fd8826c5418e3c996010c3802b88a131187d1676		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13DE 7760 bytes
font_01_sfnt_off00005ae8.bin
4409e17121a406386ab8efd28a65c87605b9d6700b91d8372ee2edc3cceb208b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AE8 16308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.