Malicious PDF — malware analysis report

Static analysis result for SHA-256 01664f50ddef62a8…

MALICIOUS

PDF

45.5 KB Authoring application: Pdftk
MD5: f23a76606201033f2c72884460df424e SHA-1: f1e110384e02fa66c11bd831b58a7760661cceaf SHA-256: 01664f50ddef62a83adbd114f4d0d857e27493405e55fda20f9ff09222e5e506
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, identified as a 'PDF_SEO_LINK_FARM' heuristic, which are likely intended to redirect users to malicious content. The document body, while appearing to be a resignation letter, also contains embedded URLs that are part of this link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://revivetheroxy.org/uploads/1/3/0/5/130588679/9aa959ece6bb7e8.pdf
    • http://abettertravelagency.com/uploads/1/3/0/6/130604255/4f4fc8a0b6f53.pdf
    • http://cordiaaladvies.nl/uploads/1/3/0/5/130551745/fixubinaxov.pdf
    • http://driversedgrades.com/uploads/1/3/0/5/130550888/8cd31c6d54c8e.pdf
    • http://us-arabchamber.org/uploads/1/3/0/6/130605182/6719023.pdf
    • http://tararebad.audiostart09.icu/uploads/2020/01/28/83877.pdf
    • http://miamirehearsal.com/uploads/1/3/0/6/130604769/7739170.pdf
    • http://newnextsf.com/uploads/1/3/0/2/130288361/3982377.pdf
    • http://motionfuels-arkansas.com/uploads/1/3/0/4/130483572/regubamalepujutibedi.pdf
    • http://sweetestdreams.org/uploads/1/3/0/2/130289748/130289748.html#resignation+letter+for+shorter+notice+period
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000121e.bin
448145396957c62818ac8e1e268ee7be74154dfd3cafcf4b033df3d2de790a32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x121E 8492 bytes
font_01_sfnt_off00006bd9.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BD9 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.