Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a08d63b312b6f22…

MALICIOUS

PDF

39.5 KB Authoring application: OpenOffice.org
MD5: f26daf3fa32414060b306194b2868d21 SHA-1: 0bd78b505fa00cb2372c0df13aac6b55c2476a43 SHA-256: 9a08d63b312b6f22b09af3650bf5e3cd4694324522d0638e31ff904707f4ea31
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a link farm designed to lure users into downloading further malicious content, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly suggest malicious intent, specifically identified as phishing. The document body, though heavily obfuscated, contains references to 'Archery king mod apk unlimited' and embedded URLs, reinforcing the phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://miva.orso-bruno.com/uploads/2020/01/28/2443117.pdf
    • http://daruwi.technolojix.com/uploads/2020/01/27/dibesepokafubir.pdf
    • http://sejujanosa.ekstra-147.ru/uploads/2020/01/27/kutulitab_zitunaxumomoko_muruwenex.pdf
    • https://zumamolakerafi.weebly.com/uploads/1/3/0/6/130604162/nuneziteku.pdf
    • http://saduwitodo.audiostart21.icu/uploads/2020/01/27/kifun_ruzamususeteje.pdf
    • https://jofikovevaja.weebly.com/uploads/1/3/0/5/130539871/e746a9b.pdf
    • http://humannaturefoundation.com/uploads/1/3/0/3/130324136/130324136.html#archery+king+mod+apk+unlimited

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001106.bin
0c972f6c8342fd5553df1eea46fff9a7f40d7a186a472ffe89bca455e82014d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1106 7860 bytes
font_01_sfnt_off0000523b.bin
67fc5177fd584259d92df2d04361ee5812aeaf6169251fafb29fd1ddf16900d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x523B 16500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.