Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9fe0918888db603…

MALICIOUS

PDF

38.6 KB Authoring application: OpenOffice.org
MD5: 03bd6f6edbd66a24435d3f18b5e33cae SHA-1: 5169c3ed8af525ed23536fe12352a20247c5be26 SHA-256: f9fe0918888db603a09f194d30d067ea836de23d867cf30836033cbb4f554def
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links to other PDF files hosted on various domains, indicating a link farm or redirection scheme. The ClamAV detection and ML classifier strongly suggest malicious intent. The heuristic PDF_SEO_LINK_FARM specifically identifies this pattern, with the dominant host being dhillon-s-ltd.com. No scripts were extracted from this sample, but the structure and URL distribution point to a delivery mechanism for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7866081-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7866081-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dhillon-s-ltd.com/uploads/1/3/0/4/130476624/xamobex.pdf
    • http://connect.barandudacommunitychurch.org/uploads/1/3/0/4/130483911/d276c.pdf
    • http://josettesphotography.com/uploads/1/3/0/8/130814345/b560c065cf882.pdf
    • http://royalflorals.com/uploads/1/3/0/5/130588968/pitulibijenazer.pdf
    • http://jeanbaptistevivier.com/uploads/1/3/0/7/130776740/1ef8ad455a9f763.pdf
    • http://lemonews.com/uploads/1/3/0/5/130543546/5812323.pdf
    • http://morris-imports.com/uploads/1/3/0/4/130436298/e5e71c909303.pdf
    • http://securehamptons.com/uploads/1/3/0/7/130739713/6754132.pdf
    • http://nmation.org/uploads/1/3/0/4/130476503/wipafiripewujufaron.pdf
    • http://fortrackit.site/uploads/1/3/0/8/130815437/9530848.pdf
    • http://mostprograms.net/uploads/1/3/0/7/130739887/5001956.pdf
    • http://simonheptinstall.com/uploads/1/3/0/6/130640053/328313.pdf
    • http://gamefarm.org/uploads/1/3/0/2/130270879/dajoj_gukiporesumuke_fufekirerur.pdf
    • http://shardworld.com/uploads/1/3/0/5/130545021/jaxulebunefo_lopusupimevo_famuduwur_pabewoba.pdf
    • http://staceyclarkdllportfolio.com/uploads/1/3/0/7/130739416/852150.pdf
    • http://adrisbeautystudio.com/uploads/1/3/0/6/130639777/69456c50d.pdf
    • http://rajadiveisland.com/uploads/1/3/0/8/130814769/2062f0152e01108.pdf
    • http://godblesszilla.com/uploads/1/3/0/5/130542859/5290252.pdf
    • http://jaimetorresfidalgo.com/uploads/1/3/0/5/130588751/130588751.html#hemoglobin+a1c+and+glucose+chart
    • http://nmation.org/uploads/1/3/0/4/13

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003679.bin
9d6a6b8865ce29f8a294c07968fa2e033fa8db99c1dd166c9f3831a45b15d11e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3679 8904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.