Malicious PDF — malware analysis report

Static analysis result for SHA-256 c191f980b6acca96…

MALICIOUS

PDF

37.1 KB Authoring application: LibreOffice
MD5: c3751c46f1cf8d6654e083a0291438a9 SHA-1: a89674c670e3e463a6eaee9addb3a407a74dc664 SHA-256: c191f980b6acca9634ba69a5cabd6506cd797992557183f937a66da0eb414897
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files, indicating a link farm or redirection strategy. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly suggest malicious intent. The document body, though heavily obfuscated, contains some of these URLs, reinforcing the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jeff410.com/uploads/1/3/0/8/130815437/jawilipisu.pdf
    • http://annmariebagge.com/uploads/1/3/0/5/130547527/7f5a2c719a8e62.pdf
    • http://sheronneblasi.org/uploads/1/3/0/7/130775172/1379244.pdf
    • http://nsanegriplegendcarscom.com/uploads/1/3/0/5/130589360/xarof.pdf
    • http://www.yazamin.com/uploads/1/3/0/6/130604651/rorabiw_lufopodudi_kojiroz.pdf
    • http://powerofforgiveness.net/uploads/1/3/0/6/130620547/2300f22d75a.pdf
    • http://jerichodrum.net/uploads/1/3/0/5/130589078/8087149.pdf
    • http://rapkins.com/uploads/1/3/0/6/130621507/sokax_wuwixilal_sejevaw.pdf
    • http://nuvisionabroad.com/uploads/1/3/0/6/130640132/vibope.pdf
    • http://mx.consultamaribelamarillo.es/uploads/1/3/0/4/130476821/0b8b7f45cc48f.pdf
    • http://unmargin.com/uploads/1/3/0/8/130813141/xenafapawofu.pdf
    • http://kleintierscheune.de/uploads/1/3/0/7/130775456/likuso.pdf
    • http://ramosironworks.net/uploads/1/3/0/5/130544938/8256844.pdf
    • http://hi-techroofingsystemsllc.com/uploads/1/3/0/7/130739885/vezur.pdf
    • http://pixelfence.net/uploads/1/3/0/7/130776275/3911166.pdf
    • http://mimitrandesign.net/uploads/1/3/0/4/130483983/8893948.pdf
    • http://makeupbytash.com/uploads/1/3/0/4/130435711/xulima.pdf
    • http://www.palvelupesti.fi/uploads/1/3/0/6/130640190/nivoketa.pdf
    • http://host248.carmichaelnl.com/uploads/1/3/0/5/130590122/fejuzezalonegavuko.pdf
    • http://mysticthisweek.com/uploads/1/3/0/5/130590474/duminejadumapu.pdf
    • http://mgmalehair.com/uploads/1/3/0/4/130436451/8471687.pdf
    • http://hostmaster.lifeboxusa.org/uploads/1/3/0/6/130605416/8dfda8b.pdf
    • http://x0169003xstreamtravel.xsideas.com/uploads/1/3/0/4/130436439/130436439.html#icd-10-cm+code+for+abnormal+uterine+bleeding

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000031d8.bin
ede4e54797d433503afbd66b0f28a8bd0348d144264db198cacb6ce91f74c056		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31D8 7144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.