Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0f78f65400327dd…

MALICIOUS

PDF

35.5 KB Authoring application: OpenOffice Draw
MD5: 1014b07539d44a8416994bc3f4e66d70 SHA-1: 64500ae678334207b2f16e5eb9eeda2576d6c87f SHA-256: e0f78f65400327dd0041ec915d0a7c89d18b07256d4309c701ca0ba8f8d51f2e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ClamAV and an ML classifier, and exhibits a critical heuristic firing for a large number of embedded external PDF links. The document body contains a mix of seemingly unrelated text and the URLs themselves, suggesting a lure or redirection mechanism. The primary attack pattern involves leveraging these numerous links to direct users to potentially harmful content or further stages of infection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tudatosszex.hu/uploads/1/3/0/8/130874067/3613f39bc7203b5.pdf
    • http://nateberggren.com/uploads/1/3/0/5/130545001/zujegixumosunoxox.pdf
    • http://www.thebedrockinitiative.org/uploads/1/3/0/5/130551971/9203154.pdf
    • http://mvcheerpoms.org/uploads/1/3/0/4/130476525/jitufepemul.pdf
    • http://smootherwaters.com/uploads/1/3/0/5/130541313/7fb393f35295f.pdf
    • http://mixfruitonline.com/uploads/1/3/0/7/130776526/68665620.pdf
    • http://www.bodyworkbychar.com/uploads/1/3/0/4/130436089/4234368.pdf
    • http://teachersgottahaveasidehustle.shop/uploads/1/3/0/7/130776279/mitafetazetowin-dineba-xibeke-kuzelozepod.pdf
    • http://mfengshui.com/uploads/1/3/0/5/130540604/5592994.pdf
    • http://sparkmediasf.com/uploads/1/3/0/6/130639062/jegot-kumil.pdf
    • http://canberraveterinarycrisisfund.com/uploads/1/3/0/2/130288720/4247449.pdf
    • http://juliegmoreland.com/uploads/1/3/0/6/130604962/mukegalebagux_podadulikop_kexuvuzu_tediz.pdf
    • http://naturalslimmingcoffee.com/uploads/1/3/0/6/130621720/potuxojo.pdf
    • http://www.nordicxenia.com/uploads/1/3/0/6/130639025/rarelulimizuw_purusa.pdf
    • http://mail.responsiblysourced.co/uploads/1/3/0/5/130551086/xiriwudufej.pdf
    • http://condosinmanila.com/uploads/1/3/0/7/130739654/319884.pdf
    • http://animeresearch.com/uploads/1/3/0/6/130621031/fedivorodebimutubu.pdf
    • http://vegaspartycentral.com/uploads/1/3/0/5/130589151/ruparavowozopobutabu.pdf
    • http://mariana-test.devsite-1.com/uploads/1/3/0/6/130604394/130604394.html#fiba+basketball+world+cup+2019+games

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002cb4.bin
1ca9adc50412c1654af4d21af542a91068290668fcc5d74d49731492de64aa65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CB4 7888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.