Malicious PDF — malware analysis report

Static analysis result for SHA-256 019c230eac7f67c1…

MALICIOUS

PDF

37.2 KB Authoring application: PDF Studio
MD5: 019465d98364859744f3d589641ad8c9 SHA-1: cad767b51c237a293526e5ac63a76c0fe6613008 SHA-256: 019c230eac7f67c1355c80888c519e6e9b9dacf3a21f14fbd9543cfc2ce10945
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document was identified as malicious by ML classifiers and ClamAV, specifically flagged as a phishing/traffic robot installer. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous embedded external links, with the first observed URL being http://webdisk.profi-r-line.com/uploads/1/3/0/7/130776486/1bba368.pdf. This suggests the primary function is to redirect users to a large number of other PDF files, likely for malicious distribution or SEO spam.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webdisk.profi-r-line.com/uploads/1/3/0/7/130776486/1bba368.pdf
    • http://teatroweb.com/uploads/1/3/0/5/130544954/4b30b2.pdf
    • http://www.lavidverdadera.net/uploads/1/3/0/6/130605143/3207056.pdf
    • http://squeakycleanfl.com/uploads/1/3/0/7/130739907/bcf9bb2985.pdf
    • http://naturalrobotics.net/uploads/1/3/0/7/130740462/6319901.pdf
    • http://katyspencer.com/uploads/1/3/0/6/130603721/kumelelekekafike.pdf
    • http://borisgutierrez.com/uploads/1/3/0/6/130605229/7927870.pdf
    • http://madeiteazy.com/uploads/1/3/0/2/130289550/runugazuzaxisu.pdf
    • http://cannacritic.shop/uploads/1/3/0/4/130483868/mudujupawe.pdf
    • http://www.tatoboutique.com/uploads/1/3/0/6/130620573/cfd5dcdc.pdf
    • http://acceleratecleaning.com/uploads/1/3/0/2/130271098/8dc1b0.pdf
    • http://de.jwoc.de/uploads/1/3/0/5/130588220/joderasuturewi-relutixituzop-valifi.pdf
    • http://edgelandscapeandmaintenance.com/uploads/1/3/0/6/130640116/lulosuxizaled-natela-jatiwovutajat-nadiwez.pdf
    • http://mail.discusamerica.com/uploads/1/3/0/4/130476574/9749728.pdf
    • http://koldenpianolessons.com/uploads/1/3/0/3/130323148/463038.pdf
    • http://amandabates.com/uploads/1/3/0/2/130273788/5997103.pdf
    • http://scribejar.com/uploads/1/3/0/3/130323822/5715609.pdf
    • http://www.fxgdr.com/uploads/1/3/0/5/130540397/pudoro.pdf
    • http://ns2.sadeturkishcoffee.com/uploads/1/3/0/6/130639267/vejipusutanuku.pdf
    • http://dazluq.com/uploads/1/3/0/5/130541846/xamaxulos-guzulobexatafe.pdf
    • http://www.blushworsley.co.uk/uploads/1/3/0/8/130815080/1658243.pdf
    • http://davidlaffargolf.com/uploads/1/3/0/7/130739177/5702227.pdf
    • http://beautyefx.com/uploads/1/3/0/5/130542920/bumameju_rodojimobemoper.pdf
    • http://harold-stanley-junior.pleasingfood.com/uploads/1/3/0/6/130639892/130639892.html#lease+agreement+sample+in+urdu

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003027.bin
d742f683312ab1b1bb18809b96ae1044f4a7dc27f064c94917561bfba9c357de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3027 7532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.