Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4b3b4a1cb739849…

MALICIOUS

PDF

37.6 KB Authoring application: OpenOffice Draw
MD5: b8c3efe135fa25154e854897a6d384b0 SHA-1: 8fb9377dca6194c7bee9686a05b87e2bc46862be SHA-256: c4b3b4a1cb739849ff55717318f5bf203f4981319523fa04c4e66d92459a2512
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or distribution mechanism. ClamAV detected this as Pdf.Phishing.TtraffRobotInstall, and an ML classifier also flagged it as malicious. The embedded URLs are likely used to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tactical-professionals.com/uploads/1/3/0/8/130874680/roxujifuvodup.pdf
    • http://leftproject.org/uploads/1/3/0/6/130621734/mutebogalizom.pdf
    • http://musmuin.com/uploads/1/3/0/4/130483384/dipevisevedipi.pdf
    • http://100wwclickingcounty.org/uploads/1/3/0/7/130776648/5410943.pdf
    • http://yongliyulechengbaijialedubo.f18.ebkf.org/uploads/1/3/0/5/130588393/podewebobabenikabide.pdf
    • http://basauribai.com/uploads/1/3/0/5/130550679/2843112.pdf
    • http://itsmrjack.com/uploads/1/3/0/5/130552016/1122338.pdf
    • http://plumbingsimivalley.net/uploads/1/3/0/3/130313748/053667b.pdf
    • http://x64.net/uploads/1/3/0/8/130814290/vafumixasuzugumaliko.pdf
    • http://charlescc.com/uploads/1/3/0/4/130483413/kivuwexewo.pdf
    • http://riverglenwealthcounselors.com/uploads/1/3/0/5/130539004/wijigixisuwuwu_pimivima.pdf
    • http://www.ecotherapyspiritualcenter.com/uploads/1/3/0/7/130776692/nonatev-fetese-nulofelofoxaz.pdf
    • http://thehealthychocolateshop.com/uploads/1/3/0/5/130543816/8475643.pdf
    • http://webmail.susanrlawrence.com/uploads/1/3/0/4/130489377/nemozijale.pdf
    • http://reginavalle.com/uploads/1/3/0/7/130738929/8a29ca4400ce89e.pdf
    • http://pleasurehouseva.gammaxiques.org/uploads/1/3/0/7/130739680/130739680.html#flames+of+war+open+fire+for+sale

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003655.bin
d847532fbc26f0fbabe1ad2c500b6480b7175f9f34806b60a469f3bdf936e180		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3655 8540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.