Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ccfea6f40e2a3d0…

MALICIOUS

PDF

49.3 KB Authoring application: OpenOffice Draw
MD5: b28628af97606169e023b1d5b0e01fb1 SHA-1: 3182b6503a3c345cf6e023a0584b3de4f01b85ce SHA-256: 9ccfea6f40e2a3d0ab8508902924de15fcf6c333a342ded552546df0b4422ab0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. The embedded URLs are the primary indicators of compromise, suggesting a redirection or download mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mailserver.margarethigginson.com/uploads/1/3/0/6/130621973/4074882.pdf
    • http://makearteveryday.net/uploads/1/3/0/6/130639175/xekakuvosawa-rupewutoje.pdf
    • http://e2biopharma.com/uploads/1/3/0/7/130739206/9e8459be99a79e6.pdf
    • http://lavadodesalasypulidosdepiso.com/uploads/1/3/0/5/130589320/273a7ab554cb.pdf
    • http://monsterfridge.com/uploads/1/3/0/8/130815277/7546988.pdf
    • http://duane-thomas.com/uploads/1/3/0/5/130590164/gunufosigemijere.pdf
    • http://angiemoll.com/uploads/1/3/0/6/130604295/da61b6b9dc62e37.pdf
    • http://ficklemuse.com/uploads/1/3/0/6/130639652/d8249e5a6.pdf
    • http://zacharyares.com/uploads/1/3/0/5/130550846/7536631.pdf
    • http://www.precabrummel.it/uploads/1/3/0/6/130621926/xadinezaderuxiz.pdf
    • http://64hurleystreetu2.com/uploads/1/3/0/7/130776514/2166230.pdf
    • http://store.advantageauburn.com/uploads/1/3/0/2/130272638/3b4d82b5.pdf
    • http://www.hecarstore.com/uploads/1/3/0/2/130272932/tazidaxavo.pdf
    • http://www.needfulwears.com/uploads/1/3/0/5/130551222/b3e56c8e7a5ffc.pdf
    • http://baigoftricksentertainment.com/uploads/1/3/0/8/130874451/3015952.pdf
    • http://acresofparadise.com/uploads/1/3/0/5/130588878/4822573.pdf
    • http://naturalworld.club/uploads/1/3/0/7/130739886/440842.pdf
    • http://rachelmcoburn.net/uploads/1/3/0/2/130289521/tuwul-xegexerarazofe-zexipuwowu.pdf
    • http://refi-llc.net/uploads/1/3/0/4/130483302/samiramibuvi_mopudux.pdf
    • http://novemberseven.net/uploads/1/3/0/7/130776460/vobozusedo.pdf
    • http://blueprinttocash.stefanaarnio.com/uploads/1/3/0/4/130436204/130436204.html#september+month+kalnirnay+2019

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003ea2.bin
2e39cfaab16dbc663371d18113868578b99e0d06baffc7c3da0ef8e2ebd537bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3EA2 7388 bytes
font_01_sfnt_off00005a1b.bin
00f230d3da3ee7c48fb901a2461d56c4e74538995a44eb1a2f1d5c38b69d252a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A1B 12956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.