Malicious PDF — malware analysis report

Static analysis result for SHA-256 01f7c7ef61c1ab01…

MALICIOUS

PDF

55.6 KB Authoring application: SWFTools
MD5: 2da7b4ce085b28568f492db567c19e94 SHA-1: e18367f62da76990eeeef2196df33c52aca74a2a SHA-256: 01f7c7ef61c1ab010bf1684dd46461f01bf0b0a38c3aa735e714e663c8e638a4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, indicating a link farm or a distribution mechanism for further malicious content. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution. The document body itself is heavily obfuscated and contains many of the same URLs, reinforcing the link farm pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fojemipeto.worldtraveltrip.com/uploads/2020/01/28/seniwewefewixe_pexonofex.pdf
    • http://missturquoisecircuit.com/uploads/1/3/0/5/130589431/800e00d240.pdf
    • https://giwadizoxus.weebly.com/uploads/1/3/0/4/130435738/4393342.pdf
    • http://carolinaathleticpowerhouse.com/uploads/1/3/0/2/130272443/supetoj_linafa.pdf
    • http://whitnallwire.org/uploads/1/3/0/5/130547418/bunoparoxi.pdf
    • http://kdscroller.weebly.com/uploads/1/3/0/2/130289426/6580234.pdf
    • http://wuxewodire.stillika.ru/uploads/2020/01/28/nabamosud.pdf
    • http://levoxox.fastkid.info/uploads/2020/01/27/pujek.pdf
    • http://bluedragonkaratedo.com/uploads/1/3/0/5/130542781/vokewigidukuw.pdf
    • http://tandifac.tech/uploads/2020/01/27/lelavaretamugo.pdf
    • http://newimageroof.com/uploads/1/3/0/5/130588942/4d70293a4.pdf
    • http://wumi.bigbogger.online/uploads/2020/01/27/kanizedejoxej_tajoxo.pdf
    • http://lasew.tm-ivanova.ru/uploads/2020/01/29/522c8b2.pdf
    • http://thehealthtrip.com/uploads/1/3/0/3/130323422/xusodiwesunulo.pdf
    • http://milwaukeesfavoritedj.com/uploads/1/3/0/6/130620395/sixate_vedetexasil.pdf
    • https://ledezuveruwis.weebly.com/uploads/1/3/0/4/130476320/3387989.pdf
    • http://jamexipis.klopus.ru/uploads/2020/01/27/8513587.pdf
    • http://womo.game-server-and-client-configuration-in-sync.ru/uploads/2020/01/28/zuwejade_gusukunab.pdf
    • http://pasogi.modinart.ru/uploads/2020/01/27/xabarinudojoko-dimezudoxug-fuliz.pdf
    • http://stop-age-today.com/uploads/1/3/0/6/130621106/8574398.pdf
    • http://culezona.eu/uploads/1/3/0/4/130476162/b3352.pdf
    • http://gobulom.pas-safe.com/uploads/2020/01/27/1057699.pdf
    • http://rim.favorsvet.com/uploads/2020/01/29/kevesizup.pdf
    • http://bavox.land-booking.com/uploads/2020/01/28/monufowofudidozula.pdf
    • http://dolonlearningresources.com/uploads/1/3/0/5/130540097/130540097.html#chiku+information+in+english
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off000091b6.bin
9f3164bd15e32a4d85d64c5d99f0d692c4eed2a69bbf809186ecb0b3d1fe003f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x91B6 6568 bytes
font_00_sfnt_off000017c3.bin
0a0c7efd372609545c92b39ef67b41fd05f351aa2f6adfed2871b22a063f449d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C3 9960 bytes
font_01_sfnt_off000073b2.bin
3fbf1cd6064673d6befca11b09500366577c1821a88f60fd63cda489fb97f284		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73B2 16276 bytes
font_02_sfnt_off000088ed.bin
2c32c498f23db3cae400dac070c72b38d41a5d5dbe5041cbe08e7cee44e1acfd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88ED 2648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.