Malicious PDF — malware analysis report

Static analysis result for SHA-256 fcea320fa4382e87…

MALICIOUS

PDF

33.3 KB Authoring application: OpenOffice Draw
MD5: fc46f12ef233857764b478c5a4013f25 SHA-1: 09ef48d88440853217901e8ec97d1154b5c25dc9 SHA-256: fcea320fa4382e87666b782c0b4010203c03e16b6abbd42ccfbc2230b40930db
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The PDF_SEO_LINK_FARM heuristic specifically identified a large number of embedded external links, with the primary suspicious URL being http://bicepsandbananas.com/uploads/1/3/0/2/130291874/zunino-guwolurabalid.pdf. This suggests the document is designed to lure users to external sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bicepsandbananas.com/uploads/1/3/0/2/130291874/zunino-guwolurabalid.pdf
    • https://savoposajurabe.weebly.com/uploads/1/3/0/4/130489377/vazadu-gudunaguwilavek-gekimi.pdf
    • http://gotopo.comunicazionequantistica.com/uploads/2020/01/27/2969086.pdf
    • https://weliwonilubo.weebly.com/uploads/1/3/0/3/130323156/zojipixonumukexaf.pdf
    • http://wafa.site-elit.ru/uploads/2020/01/29/4028362.pdf
    • http://ssvfcpc.org/uploads/1/3/0/6/130605028/goradebu.pdf
    • http://strinition.ru/uploads/2020/01/27/xebuvutobamedopafite.pdf
    • http://letuzogemu.event55.ru/uploads/2020/01/28/xowara-mufanuvufa.pdf
    • http://adentavietnam.com/uploads/1/3/0/6/130603925/gexasavematufuxinij.pdf
    • https://rajumusarop.weebly.com/uploads/1/3/0/4/130491850/ef20bfb2bd.pdf
    • http://551myersavenue.com/uploads/1/3/0/4/130436196/dagis.pdf
    • https://malidobatupi.weebly.com/uploads/1/3/0/5/130542872/8123648.pdf
    • http://kazumus.cheapoffice.ru/uploads/2020/01/27/dd3ddb0735a435.pdf
    • http://rixe.smart161.ru/uploads/2020/01/28/1550626.pdf
    • http://moralish.com/uploads/1/3/0/6/130639910/54851.pdf
    • http://gos.asolar.shop/uploads/2020/01/29/wulufusovuxi_vamamegaselop_boxanuw_sefig.pdf
    • http://luw.vipiski-besplatno7.icu/uploads/2020/01/29/1062958.pdf
    • http://keepkickincloggersmacon.com/uploads/1/3/0/4/130476652/wopaxeretebawanebevu.pdf
    • http://mynaturalhairspa.com/uploads/1/3/0/5/130588244/130588244.html#owon+oscilloscope+software+manual

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001543.bin
5ed75a2ad5117b3ce96b0a9a920bdd86424e36b64fcbe17333ed906d0c1c7a3c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1543 7848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.