Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1d8f77a21f0bbf1…

MALICIOUS

PDF

64.9 KB Authoring application: OpenOffice Draw
MD5: d2d27e63d894fc128017a46b019d83a2 SHA-1: 4b3a636dc2313130f92d61975c2e28b248b27832 SHA-256: f1d8f77a21f0bbf12a3dc0352da6694df383854f721853239d2af540d5dd82c1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing attempt. The heuristic 'PDF_SEO_LINK_FARM' indicates the document contains a large number of external links, all pointing to other PDF files. The document body, though heavily obfuscated, also contains many of these URLs. This suggests the primary function of this PDF is to act as a gateway, redirecting users to potentially malicious content hosted on numerous external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thestrengthandconditioningcollective.com/uploads/1/3/0/5/130590503/07f3cd9411d7.pdf
    • http://artbookblog.org/uploads/1/3/0/6/130620981/869deb.pdf
    • http://miracleinabucket.com/uploads/1/3/0/6/130604256/mavur.pdf
    • http://msjacques-purdysclassroom.com/uploads/1/3/0/3/130313130/10751b.pdf
    • http://www.landandsearepair.com/uploads/1/3/0/7/130776265/41611c0.pdf
    • http://crablefoundation.org/uploads/1/3/0/7/130775252/lebez_lisatidexejelub_bosawamib.pdf
    • http://kvardek.com/uploads/1/3/0/7/130775256/zexupudotimamixefa.pdf
    • http://accidentalsocialworker.com/uploads/1/3/0/5/130545185/kuxonupa_zikajerokuxe_xowador_kodop.pdf
    • http://www.onlinefurnitureanddecor.com/uploads/1/3/0/6/130621663/4815340.pdf
    • http://www.jssoapworks.com/uploads/1/3/0/2/130289479/subukuvo.pdf
    • http://www.xyztrivia.xyz/uploads/1/3/0/6/130621238/50543c.pdf
    • http://www.calikaihawaii.com/uploads/1/3/1/0/131071252/89201.pdf
    • http://negativeopus.net/uploads/1/3/0/2/130289774/cf1ddb68a307c.pdf
    • http://usahandwriting.com/uploads/1/3/0/4/130436125/witowekopa.pdf
    • http://fretbuzz.net/uploads/1/3/0/6/130621293/c691d453.pdf
    • http://tallahasseewmc.com/uploads/1/3/0/6/130605358/metaveser_natosado_wuloseke.pdf
    • http://cerdashalal.com/uploads/1/3/0/7/130775217/009902a.pdf
    • http://alohabrewed.com/uploads/1/3/0/6/130620776/9952470.pdf
    • http://yosemiteoutdooradventure.com/uploads/1/3/0/8/130814353/kamurojejak-lagete-baguf.pdf
    • http://kurthindustries.com/uploads/1/3/0/7/130738752/zozotumogakal.pdf
    • http://catholicnewmancenterlssu.org/uploads/1/3/0/6/130604708/fuxisexowepat.pdf
    • http://haystacklaw.com/uploads/1/3/0/5/130539355/lijifu_puxozuwirub_siwinuwi.pdf
    • http://mta-sts.mx.jaynegirl.ca/uploads/1/3/0/4/130488265/4905224.pdf
    • http://the-inla.ca/uploads/1/3/0/5/130551162/39c07eb794.pdf
    • http://blackhawbuilders.com/uploads/1/3/0/4/130435870/130435870.html#congestive+heart+failure+dogs+wikipedia

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000177b.bin
26f97e8f13ffe0ebb4d2b123b74d329500925764ee4311c14ae2c9e936f57342		 pdf-font-stream PDF embedded font (sfnt) at offset 0x177B 7960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.