Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff366c583aad6426…

MALICIOUS

PDF

31.3 KB Authoring application: LibreOffice Draw
MD5: bc87fa7be856595828b24a6a8c90df14 SHA-1: 48f2ba0f3ccfee4b91cab21adfdaca2cf7945726 SHA-256: ff366c583aad6426f8bce74a19e7bf27284012ff20efe5630ee2995df525a8f3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including a critical alert for a link farm and ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body contains numerous external URLs pointing to other PDF files, suggesting a phishing or SEO spam campaign. The primary attack pattern involves leveraging these external links to distribute malicious content or manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.comfortablek9s.com/uploads/1/3/0/7/130775845/xenagemuxegobid.pdf
    • http://starbagsptsd.com/uploads/1/3/0/2/130272573/kotadusaxuwurajene.pdf
    • http://pluralform.se/uploads/1/3/0/6/130605217/93fd01497787.pdf
    • http://ennellgroup.com/uploads/1/3/0/2/130288551/3c56932.pdf
    • http://www.dpbhouse.com/uploads/1/3/0/2/130272629/5502096.pdf
    • http://sunsetsoapworks.com/uploads/1/3/0/6/130604631/puzalexi.pdf
    • http://lesslessmoremore.com/uploads/1/3/0/5/130551467/3802099.pdf
    • http://ns.koehlerscale.com/uploads/1/3/0/9/130969499/zanususo_risoled_venel_meleximoxi.pdf
    • http://mynukshuk.com/uploads/1/3/0/4/130477234/1f3605d87b0.pdf
    • http://www.aladybugsbaskets.com/uploads/1/3/0/7/130775987/750977.pdf
    • http://btctree.net/uploads/1/3/0/8/130815013/64713ccd166809.pdf
    • http://konstanzethomas.com/uploads/1/3/0/4/130489226/45238.pdf
    • http://myschoodle.net/uploads/1/3/0/7/130775557/zipegif.pdf
    • http://georgwebbtogo.com/uploads/1/3/0/5/130539849/xopes.pdf
    • http://themethodmeditation.com/uploads/1/3/0/5/130538902/4523b2e8dd.pdf
    • http://bucketsofbrassandcopper.com/uploads/1/3/0/6/130620607/1652582.pdf
    • http://nelsonbeatsthedrums.com/uploads/1/3/0/6/130621695/vefovivupilenubifufi.pdf
    • http://mirageestates.com/uploads/1/3/0/5/130589353/zofusi-lalekarosokomox-runigawud-xereru.pdf
    • http://customcablesandwallplates.com/uploads/1/3/0/7/130775935/julaxom.pdf
    • http://airvantageuas.com/uploads/1/3/0/7/130775145/8207fe2e162cd.pdf
    • http://sta-66-99-58-197.ladse.org/uploads/1/3/0/2/130288939/130288939.html#rustoleum+red+oxide+primer+review

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001bcb.bin
cb892cb5de08411ef1535bc5b2c0a91e4f52e91349d822bc7cb8519833c9f033		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BCB 7296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.