Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb3bd082190db22a…

MALICIOUS

PDF

59.0 KB Authoring application: OpenOffice Draw
MD5: d62637a94be106e63d0b24a5ee40ac69 SHA-1: 326f023b7afa2c273d0f5d3a6331707c26cf19df SHA-256: fb3bd082190db22a1a36d88ca0645dfef0df0edf445ea16d1ac104e4b78699bd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was identified as malicious by ML classification and ClamAV, which flagged it as Pdf.Phishing.TtraffRobotInstall-7605656-0. The primary heuristic indicates a 'PDF_SEO_LINK_FARM' with 31 external PDF links, predominantly hosted on 'rawly.net'. The document body contains numerous URLs pointing to other PDF files, suggesting a link farm designed to redirect users to potentially malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rawly.net/uploads/1/3/0/5/130588232/9e536bc270.pdf
    • http://piercingpoli.com/uploads/1/3/0/6/130604887/0f4e62e831d9.pdf
    • http://magick-mart.com/uploads/1/3/0/4/130435751/14773.pdf
    • http://citizens-medicare.com/uploads/1/3/0/5/130550914/xadapoburefera-bujezozanudu.pdf
    • http://materiaent.net/uploads/1/3/0/6/130621201/6d0af5.pdf
    • http://sang-bleu.com/uploads/1/3/0/5/130551154/vogaboboterogejupon.pdf
    • http://rumbleandresist.org/uploads/1/3/0/3/130313086/6d21a15e85f0a0.pdf
    • http://r-ewolucje.com/uploads/1/3/0/5/130550703/4186120.pdf
    • http://binarysv.com/uploads/1/3/0/5/130551457/aed6304cb830f39.pdf
    • http://dcterrorisminsurance.com/uploads/1/3/0/4/130483454/502fee1e8cd914d.pdf
    • http://nocostupfront.website/uploads/1/3/0/8/130814644/jelofuja.pdf
    • http://johnnyhurd.com/uploads/1/3/0/6/130640066/tofuzibilinuviz.pdf
    • http://rightjoin.com/uploads/1/3/0/3/130313698/f17b73.pdf
    • http://dedrickenterprises.com/uploads/1/3/0/5/130551728/1139008.pdf
    • http://autodiscover.islandofsalvationbotanica.com/uploads/1/3/0/9/130969329/fa983ab8f9f.pdf
    • http://www.georgiaokragirl.shop/uploads/1/3/0/6/130621625/9130773.pdf
    • http://lunchbox-gourmet.com/uploads/1/3/0/4/130483656/17f88.pdf
    • http://sta-66-99-58-218.ladse.org/uploads/1/3/0/3/130379181/130379181.html#enterobacter+cloacae+%E0%B8%84%E0%B8%B7%E0%B8%AD

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000143a.bin
5dc094b69c6f7242e78ca5ab20d6b6f181d8f159e8a28d0639a96ea05837fa3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x143A 8764 bytes
font_01_sfnt_off0000a4ac.bin
4e9ae17c41f053e7ad2cff4c16f4465db96732130fdde230725ded2fe80853ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4AC 3156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.