Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf613b0b47fcf3d2…

MALICIOUS

PDF

33.6 KB Authoring application: OpenOffice.org
MD5: 242a2f30d75d4ece790b546995da0452 SHA-1: 2b5cc555b3bf42c9a078b1911ef3f46a49c4a18b SHA-256: cf613b0b47fcf3d272ee8e836f26bc2f04e6ef4dc97f0611bfc074551a6260ba
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique commonly used for SEO poisoning and phishing. The document body mimics an annual report and financial statements to deceive users into clicking these links. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution via the linked PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://troop14holliston.com/uploads/1/3/0/5/130540477/6792806.pdf
    • http://www.gillespielawncare.com/uploads/1/3/0/2/130289592/pedafupov-wimojapopulut-wijirugixu.pdf
    • http://www.garretthobba.com/uploads/1/3/0/5/130539120/2550079.pdf
    • http://spiritualdirectionminstry.com/uploads/1/3/0/2/130273978/zufavujituki_xibomisapiner_gijozato.pdf
    • http://eaglehealthinsurance.com/uploads/1/3/0/6/130621374/mulewaw_runenop_jabisamotesu.pdf
    • http://www.houlielectrical.com/uploads/1/3/0/6/130639956/kowejonut.pdf
    • http://26and2.club/uploads/1/3/0/7/130775346/likum.pdf
    • http://marcusphotography.net/uploads/1/3/0/7/130738841/f36dea9205.pdf
    • http://www.savagebarberclothing.com/uploads/1/3/0/8/130874126/wabij-kukamof-kasan-lasavadal.pdf
    • http://riversidepoolcleaning.com/uploads/1/3/0/7/130775219/kawimaguxofijosos.pdf
    • http://parmaohiomasonry.com/uploads/1/3/0/4/130475982/67c645.pdf
    • http://sub.thequiltingjeanne.com/uploads/1/3/0/7/130775123/8e11e44.pdf
    • http://topqualitybrokeragellc.com/uploads/1/3/0/3/130379824/nuxavibag-punosupero-puramokul-xekuwavega.pdf
    • http://zbkperformance.com/uploads/1/3/0/7/130739146/3969537.pdf
    • http://thelegalmastermind.com/uploads/1/3/0/7/130775679/9749941.pdf
    • http://a.marisths.org/uploads/1/3/0/4/130435870/wilijilo_zadavaxow.pdf
    • http://themannahattaproject.com/uploads/1/3/0/5/130547215/4654396.pdf
    • http://ojqp5vbe.brdge.org/uploads/1/3/0/4/130483509/130483509.html#ayala+corporation+annual+report+2017

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000026de.bin
2ce990d7b5911fbfa13f47394699d6613782c4feb2970d8c329c9badbe6d3b68		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26DE 7564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.