Malicious PDF — malware analysis report

Static analysis result for SHA-256 bfb87c1f9d958063…

MALICIOUS

PDF

35.6 KB Authoring application: OpenOffice.org
MD5: 9c38d9c2d2643f0049154349371a632e SHA-1: 19af797e7378917bdb88b1933cfff2bdbf2d90fd SHA-256: bfb87c1f9d958063f7f31bfcaf162019c06a8c5d79cb47e876f069e54e90eaa4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The document body itself is heavily corrupted and unreadable, providing no further context.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.anthonymcmaster.com/uploads/1/3/0/5/130590157/bogab.pdf
    • http://monsterwrecker.net/uploads/1/3/0/4/130477663/854b69b5.pdf
    • http://desertside.com/uploads/1/3/0/7/130738841/5375054.pdf
    • http://thesustainables.biz/uploads/1/3/0/6/130639775/jepaxorutujupiweki.pdf
    • http://alicetxchamber.org/uploads/1/3/0/2/130271081/3986f1bbeae2ed5.pdf
    • http://traceyharnish.com/uploads/1/3/0/4/130435702/cfaaa94a44400.pdf
    • http://poppies-daycare.co.uk/uploads/1/3/0/6/130640111/tepal-katidi-kosajefugazeler.pdf
    • http://djbradymobileent.com/uploads/1/3/0/5/130590059/292655de5d7a19.pdf
    • http://lovelifeagain-lifecoachingmore.com/uploads/1/3/0/5/130550664/70b19767742b0b.pdf
    • http://dirtydevillemusic.com/uploads/1/3/0/4/130490668/2758465.pdf
    • http://novelsf.com/uploads/1/3/0/4/130490006/af58acd862ef49f.pdf
    • http://modajewelry.shop/uploads/1/3/0/3/130379147/cc2afd71.pdf
    • http://candleincome.com/uploads/1/3/0/6/130640092/78d8b99ef5a4d.pdf
    • http://unfairadvantageonline.com/uploads/1/3/0/6/130620751/mejed.pdf
    • http://chrisscottholmes.com/uploads/1/3/0/2/130288399/nevawakuzatesuxejeta.pdf
    • http://murphcooper.com/uploads/1/3/0/4/130483454/tukezumupu.pdf
    • http://beautyparty.co.uk/uploads/1/3/0/7/130776246/9344636.pdf
    • http://antoniobuehler.com/uploads/1/3/0/6/130604982/3069996.pdf
    • http://labellewinery.net/uploads/1/3/0/2/130289315/6634454.pdf
    • http://airinbudiman.com/uploads/1/3/0/3/130379173/vetupageduvesode.pdf
    • http://warrenbsmith.org/uploads/1/3/0/7/130775727/d9600caf624539d.pdf
    • http://jeffreyvictor.net/uploads/1/3/0/5/130551127/wamurusubetelasoxag.pdf
    • http://tangball-online.lucky1st.com/uploads/1/3/0/4/130476014/130476014.html#letter+of+recommendation+school+example
    • http://unfairadvantageonline.com/uploads/1/3/0/6/130620751/mejed.p

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d68.bin
ff232cdcf6cc7e7555db46503ab709f808386ee8c4efbeccdecb408d50f8563a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D68 6604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.