Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe8d3fbf0b3b524e…

MALICIOUS

PDF

82.8 KB Authoring application: OpenOffice Draw
MD5: 398166fcf46d0b143df86300e8b9a52d SHA-1: 75fae4984c6831af708e3f1102c812ce1b4a7609 SHA-256: fe8d3fbf0b3b524e133c9533a6b7c2f8dd1c3893c65b100939f069e88ab50d11
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF documents, indicating it functions as a link farm. This is strongly suggested by the 'PDF_SEO_LINK_FARM' heuristic firing. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9723

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://daycareplayground.com/uploads/1/3/0/7/130776260/temoguk-morekapi-vesizuwi.pdf
    • http://robinjoyphotography.net/uploads/1/3/0/5/130589245/jojexuvex_pegisebif.pdf
    • http://drallison.com/uploads/1/3/0/5/130588654/8c4255.pdf
    • http://asphaltisland.com/uploads/1/3/0/2/130289236/2927642.pdf
    • http://fruitymessagebroker.net/uploads/1/3/0/7/130738821/eec8f16.pdf
    • http://mikaimtrading.co.za/uploads/1/3/0/6/130620672/mowutunapo.pdf
    • http://bevilacquaguitars.com/uploads/1/3/0/2/130291575/6f5a4.pdf
    • http://laventanadecali.com/uploads/1/3/0/4/130435783/didorenexoxi.pdf
    • http://cyclebavaria.com/uploads/1/3/0/2/130289645/4cc14b31.pdf
    • http://apietrantoni.com/uploads/1/3/0/4/130490117/2c9121e63ef3468.pdf
    • http://novamedia.dk/uploads/1/3/0/7/130775197/2422901.pdf
    • http://salftom.store/uploads/1/3/0/7/130740537/8587882.pdf
    • http://canausvisa.ca/uploads/1/3/0/2/130287463/dosokot.pdf
    • http://trishasxtremeclean.net/uploads/1/3/0/2/130289625/tusabibize-lajotatit.pdf
    • http://rxalens.net/uploads/1/3/0/4/130436288/2744196.pdf
    • http://opforarmory.com/uploads/1/3/0/2/130289645/surudilanapika-minexo-tikedusa-velajalobamazip.pdf
    • http://lauralemay.net/uploads/1/3/0/7/130776745/4866510.pdf
    • http://www.study-to-success.com/uploads/1/3/0/5/130590356/ae076a88e73.pdf
    • http://cockblockproductions.com/uploads/1/3/0/6/130604340/nanujig.pdf
    • http://archlegacy.com/uploads/1/3/0/7/130740117/9944380.pdf
    • http://nastymattress.com/uploads/1/3/0/5/130539928/3542695.pdf
    • http://attiliosfarms.com/uploads/1/3/0/5/130543877/1456885.pdf
    • http://cams-collection.com/uploads/1/3/0/6/130621583/c500d14.pdf
    • http://jimturrell.net/uploads/1/3/0/7/130739309/jagedagunokemab-nawariw.pdf
    • http://zapchasti-online.space/uploads/1/3/0/2/130291572/b60ae16f96f8.pdf
    • http://quanxunwangbeiyongwangzhi.br3h.com/uploads/1/3/0/7/130738513/130738513.html#lactic+acidosis+meaning+in+tamil

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00008ce0.bin
1e7f193219d252bff7b131d265a249595c1ec3ea33720dd30cb827603748dbae		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8CE0 19308 bytes
font_00_sfnt_off0000579e.bin
f5876bb0eda21d4c0e3becbdc404d1e4a14d89811f09b8f2aec1e019ec9e44f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x579E 3724 bytes
font_01_sfnt_off000063f5.bin
bbd465158f88620f6b89bbc14fd4053a393fda34b464cf5d9625b9580ee6f51f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63F5 10240 bytes
font_02_sfnt_off00007975.bin
b1118302c5517eb61a6a239cbb0c0398f36a596cc95e76ebefef7294164c1510		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7975 7316 bytes
font_04_sfnt_off0000abec.bin
03742b3af56d0894ab5df65dc3134d6d1f1537ecfbbc759efc3d5c9763d8381a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xABEC 6908 bytes
font_05_sfnt_off0000c206.bin
25210ba12aeb24b23a7f408187dfb784faa727fd123f685f3f2ae776772c54fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC206 8116 bytes
font_06_sfnt_off0000db62.bin
3cef15fba8532ec0fd13f10d769cd930b7f4396e13ded5366012fab342fad235		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB62 11616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.