Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6fc0dd9d6d3c992…

MALICIOUS

PDF

37.6 KB Authoring application: LibreOffice
MD5: ebc967d10c1d1de2b08eb52e1829ab66 SHA-1: 8a0642324d3ccde2920a5845191b4e9c3044b6f5 SHA-256: e6fc0dd9d6d3c992edd94cbc8ece223e85f28999a959fa7009b12d7cd2cf10d8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The primary attack pattern observed is a link farm, with numerous embedded URLs pointing to external PDF files. The document body contains seemingly random text and URLs, suggesting it is designed to evade simple content analysis while serving as a vehicle for these links. The presence of many external links strongly suggests a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mariaevangelizadoraradio.net/uploads/1/3/0/5/130589145/4424925.pdf
    • http://www.rememberingericcoates.com/uploads/1/3/0/6/130621228/gazip.pdf
    • http://connexionadr.com/uploads/1/3/0/4/130483953/aac499dab1a.pdf
    • http://modaallettante.com/uploads/1/3/0/6/130621791/jixarogegerux.pdf
    • http://stevenyewmagic.com/uploads/1/3/0/9/130969501/bf740c754c2a2a6.pdf
    • http://nofeebt.com/uploads/1/3/0/6/130639827/dobimuxi_rifufaxevukutoj_dodawoku_xifilunulu.pdf
    • http://bellamayphotography.com/uploads/1/3/0/5/130540619/woluzexiran.pdf
    • http://newportfamilyfarms.com/uploads/1/3/0/4/130435684/zitizaralotugor-wuguwitexewid-xizezosav.pdf
    • http://confessionsofthehornychristian.com/uploads/1/3/0/7/130775254/nazilef.pdf
    • http://liberty-rc.com/uploads/1/3/0/4/130483928/7803870.pdf
    • http://madeiradrywall.com/uploads/1/3/0/5/130588221/gotakamokajob.pdf
    • http://www.fortitudecapitalmgt.com/uploads/1/3/0/2/130287536/momolipa.pdf
    • http://ctodesign.com/uploads/1/3/0/2/130289418/4819909.pdf
    • http://minoritypodcast.com/uploads/1/3/0/3/130379818/dixezosep-solokujinexafe.pdf
    • http://stillwaterfiretower.com/uploads/1/3/0/6/130639549/a7e6cbe8e1892b.pdf
    • http://pitparts.net/uploads/1/3/0/7/130775279/siwujas.pdf
    • http://geigersound.com/uploads/1/3/0/5/130551058/3609501.pdf
    • http://kmcreecy.com/uploads/1/3/0/3/130313333/wolumolazuxogafo.pdf
    • http://carlyzimmerman.com/uploads/1/3/0/2/130270813/mivevevemeworokupig.pdf
    • http://soundvisiondecor.com/uploads/1/3/0/5/130544437/27ae7dfdd09652.pdf
    • http://mojiles.net/uploads/1/3/0/3/130324005/gagepepiboj.pdf
    • http://mathsgrant.com/uploads/1/3/0/7/130739558/2b7b1bea2c94333.pdf
    • http://cpanel.callbuddys.com/uploads/1/3/0/5/130538988/rafisububodepu_jatenazunemu.pdf
    • http://bet365tikuannagezuizhuanye.br3h.com/uploads/1/3/0/4/130476563/130476563.html#perirectal+abscess+with+fistula+icd+10

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030e7.bin
b1bcbcc9c7f93829c269125765fa74fb0b90d3ba595e0e81bf01a2f903c4ef96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30E7 7748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.