Malicious PDF — malware analysis report

Static analysis result for SHA-256 009f85201ee45508…

MALICIOUS

PDF

63.8 KB Authoring application: Smallpdf Desktop
MD5: f6d00ecc2732713514846e1e4e61cac4 SHA-1: 5baa991bb2d0f8d21603aca52ac2c2cfc7a03fe4 SHA-256: 009f85201ee455087d38f9d0ef15f2b0b25b734df3e1d8d0453210527b824ccb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link T1204.001 Malicious Link T1059.001 PowerShell

This PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0. The document contains a large number of embedded URLs, indicating a likely attempt to redirect users to malicious sites. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.hannahsresale.com/uploads/1/3/0/4/130435721/92fec3b12171d7.pdf
    • http://joelwolfgang.com/uploads/1/3/0/6/130639093/f908d.pdf
    • http://phantomofthepasta.com/uploads/1/3/0/5/130545643/pixaxopakipabi.pdf
    • http://noahguystaffing.com/uploads/1/3/0/2/130289736/3895285.pdf
    • http://livingstones-vdc.com/uploads/1/3/0/8/130874063/7625224.pdf
    • http://serp-online.org/uploads/1/3/0/5/130589295/zanupu_vifujavo_jafilepamodidu.pdf
    • http://rscrystalmedicine.com/uploads/1/3/0/6/130639676/8423118.pdf
    • http://soultender.info/uploads/1/3/0/5/130551331/141108c465.pdf
    • http://royal34.net/uploads/1/3/0/4/130491513/gogusurovimuw-wasunabise.pdf
    • http://pruned.in/uploads/1/3/0/2/130289467/jibapavejapotov-nekum-mopinuranojoxe-fiviwa.pdf
    • http://mindstate.store/uploads/1/3/0/6/130605094/wuwuwebono.pdf
    • http://www.gatsbybandorlando.com/uploads/1/3/0/4/130488338/93525d3f3207.pdf
    • http://miamibikelawyer.com/uploads/1/3/0/5/130551066/pidusubobeku-nerijagikobu.pdf
    • http://bestforexrebates.com/uploads/1/3/0/7/130740180/tapedoki.pdf
    • http://jkremodeling.org/uploads/1/3/0/6/130640025/8111133.pdf
    • http://mrccustomdesigns.com/uploads/1/3/0/2/130287500/4467635.pdf
    • http://midwestmusclebullyclub.com/uploads/1/3/0/2/130288402/mumaredavakir.pdf
    • http://kaysboudoir.pftsports.com/uploads/1/3/0/6/130620788/5444882.pdf
    • http://exchangeclubmobile.org/uploads/1/3/0/5/130590308/1970313.pdf
    • http://mckinneytechsolutions.net/uploads/1/3/0/3/130379222/gulezikudaruxi.pdf
    • http://webdisk.euccommunity.com/uploads/1/3/0/5/130589122/vewabiwularuja.pdf
    • http://bartbenson.com/uploads/1/3/0/5/130588547/48b1b98597.pdf
    • http://klbhomecraftersllc.com/uploads/1/3/0/7/130775269/vufejujosuzibe_kasaxepone.pdf
    • http://harrisonrappaport.com/uploads/1/3/0/4/130483868/130483868.html#diy+small+greenhouse+plans

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001852.bin
f3102970c6d6a2655b63a9fad3a8688725db07e26e9ec71ac7acf0b3baaa6720		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1852 7856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.