Malicious PDF — malware analysis report

Static analysis result for SHA-256 b919b933eef1c026…

MALICIOUS

PDF

38.0 KB Authoring application: OpenOffice.org
MD5: acb2a5d86b382e099a694528836d24f4 SHA-1: 912f4fb9c9b0a3c1f91850a5f31437f95f9199e7 SHA-256: b919b933eef1c0261422f2729febecb7a1ddf6cb888d6c26faf2e3a48a16bb6e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The PDF_SEO_LINK_FARM heuristic identified a large number of embedded URLs pointing to external PDF files. These links are likely used to distribute further malware or conduct phishing attacks. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mail.southarkfire.com/uploads/1/3/0/7/130740013/5886467.pdf
    • http://montezgame.com/uploads/1/3/0/5/130590126/083c8.pdf
    • http://blakedroesch.com/uploads/1/3/0/5/130539494/xezob.pdf
    • http://christmasiscominghome.ca/uploads/1/3/0/4/130483136/watubidigu.pdf
    • http://www.ops-williamsfirsties.com/uploads/1/3/0/8/130814596/kopenugijefexuz.pdf
    • http://balloonsoverbranson.com/uploads/1/3/0/4/130489262/8ac4e75af.pdf
    • http://western-union-vietnam.online/uploads/1/3/0/7/130740553/188a2.pdf
    • http://audioallure.com/uploads/1/3/0/6/130621402/finudedidasubu_sakipojupam_jofulajoke_nuvigo.pdf
    • http://coreydennison.net/uploads/1/3/0/4/130435826/9b5c026608de4.pdf
    • http://onlythedrops.com/uploads/1/3/0/6/130639363/zobiwepubobatimunaw.pdf
    • http://koldenpianolessons.com/uploads/1/3/0/6/130604556/zosojaluximavon-bupukanun-vogomeg-musozekid.pdf
    • http://balihaidreams.com/uploads/1/3/0/7/130776655/pumixuf_futajinedatovu_jetipovofu.pdf
    • http://mywelby.org/uploads/1/3/0/2/130289457/cf94f62520dd.pdf
    • http://web5.pleasingfood.com/uploads/1/3/0/6/130639593/130639593.html#amigurumi+cat+toy+ball

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003b40.bin
730dc7242ce5ea41311a5a9557bc4d95506c3c2195ce78b4ba80475236164275		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B40 8080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.