Malicious PDF — malware analysis report

Static analysis result for SHA-256 01f5801e0ce2e0fa…

MALICIOUS

PDF

41.7 KB Authoring application: PDFedit
MD5: 5cf4fd30f1bec649642e60646852ca63 SHA-1: 454b364829896db2cb133d7fdaf2a7ae9678b53b SHA-256: 01f5801e0ce2e0fa01ed7bd406c534cf9ec8133b682ac27105959b72f56befe9
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document detected as malicious by ClamAV and an ML classifier. It contains a large number of embedded URLs pointing to external PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, potentially related to phishing or SEO spam.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jfmaloneylaw.com/uploads/1/3/0/4/130476294/fosewelilogel_bujomotobufa_mixajan_nimeturef.pdf
    • http://caddielands.com/uploads/1/3/0/2/130288462/3658659.pdf
    • http://veticusllc.com/uploads/1/3/0/7/130774966/c0921cff.pdf
    • http://smalltubeparts.com/uploads/1/3/0/5/130539759/2343876.pdf
    • http://whiteteacup.net/uploads/1/3/0/4/130483866/176453.pdf
    • http://swietkowskilaw.com/uploads/1/3/0/6/130640063/5294138.pdf
    • http://enbit.com.au/uploads/1/3/0/6/130639251/wabifaxeloj.pdf
    • http://comfish.com.au/uploads/1/3/0/7/130739002/dojadoki_soketewibufapif.pdf
    • http://www.legacyofstoke.com/uploads/1/3/0/7/130740349/devinaroretuzov_gudoxuzed_xezoniximerawe_jumepajoditoge.pdf
    • http://weedeaterridinglawnmower.net/uploads/1/3/0/7/130739080/werinogodojip.pdf
    • http://repealcongress.com/uploads/1/3/0/4/130477468/legafabojamomi_rizoposu.pdf
    • http://waxwingaerial.com/uploads/1/3/0/6/130620371/766e342e3.pdf
    • http://lovehealthservice.net/uploads/1/3/0/5/130540525/paveb.pdf
    • http://monterreys.org/uploads/1/3/0/6/130639239/130639239.html#difference+between+connectors+and+linking+words
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003198.bin
1d1fa5121415f8f5353993473374918b9d2a38f433752094af4cce5d3be72c8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3198 16312 bytes
font_01_sfnt_off000049dd.bin
5d937cc4d7f76df66c039a4e3a6fe49c566e9a4540049e61c0bc756a233c786a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49DD 7980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.