Malicious PDF — malware analysis report

Static analysis result for SHA-256 91ec3565d1c00e5c…

MALICIOUS

PDF

39.9 KB Authoring application: OpenOffice Draw
MD5: e01ed747ebd6512ea65b30eb8d397d0c SHA-1: 42ab504494dd2b021192df70e581c0a42d527bbd SHA-256: 91ec3565d1c00e5cbc6c301640a75ff59f8dbfa25edc2bbb6b6aace7433e12b4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also strongly suggest maliciousness. The embedded URLs are likely used to distribute further malware or engage in SEO spamming. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pornabl.com/uploads/1/3/0/5/130590164/f4c38.pdf
    • http://jhoanrivas.net/uploads/1/3/0/7/130740251/xudepifalesikemugog.pdf
    • http://nicelittleearner.co/uploads/1/3/0/6/130620268/xemiwemizidumu-sivugesavuwesi.pdf
    • http://nerdfinance.net/uploads/1/3/0/4/130489075/vutidigowogoxab.pdf
    • http://www.trailerclass.com/uploads/1/3/0/8/130874422/narusukenokuvak.pdf
    • http://alexiswebbcarqueen.com/uploads/1/3/0/6/130605506/bijetoxefuvorufopeje.pdf
    • http://www.talkan.us/uploads/1/3/0/4/130476412/6105276.pdf
    • http://babypassiondoula.com/uploads/1/3/0/5/130538988/mewaverij_nupefipewivute_suvasoxetefif.pdf
    • http://diceandwhatever.com/uploads/1/3/0/6/130605390/8695018.pdf
    • http://deafperutour.com/uploads/1/3/0/6/130603838/vitofowobusap-xudaleluvug-busugelixig-gipojolivovezub.pdf
    • http://slpresource.com/uploads/1/3/0/7/130739173/wegarexuzorisozipumo.pdf
    • http://carlos-morales.com/uploads/1/3/0/2/130288361/riwurabekisiwow.pdf
    • http://www.franciesfrippery.com/uploads/1/3/0/5/130551994/461a35f.pdf
    • http://nicaraguaconvoy.com/uploads/1/3/0/8/130874482/18a1245.pdf
    • http://tedsclothing.com/uploads/1/3/0/7/130738646/7687631.pdf
    • http://kriegstattoos.com/uploads/1/3/0/6/130640084/fotulevibiwixo.pdf
    • http://stevengethard.com/uploads/1/3/0/4/130435597/makajopeniwixegunip.pdf
    • http://www.summitridgeguides.org/uploads/1/3/0/4/130435697/dijabo.pdf
    • http://host146.carmichaelnl.com/uploads/1/3/0/5/130588601/130588601.html#polycythemia+newborn+aap

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003da2.bin
9441543e0a03a7f943b4951ab822dcb5528c19ea96bea1855f3a7133e264674f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3DA2 8200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.