Malicious PDF — malware analysis report

Static analysis result for SHA-256 02ab5ff96ef8df04…

MALICIOUS

PDF

90.7 KB Authoring application: Pdftk
MD5: 458ce59cdb67c369eaf9dd6fd91eeb4a SHA-1: dca71dd361de0ae81a52b1125741886f59396a37 SHA-256: 02ab5ff96ef8df04f04cb0833aa35c95a904e6193e82b5ae93a68e3857357af9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a mass external PDF link farm, with multiple links pointing to PDF files hosted on various domains. The document body also contains a call-to-action phrase and a URL that appears to be a download lure. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9948

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://uscstudentactivism.org/uploads/1/3/0/4/130483551/6132260.pdf
    • http://nurseryrhymedesign.com/uploads/1/3/0/2/130287413/ac5733c68bf.pdf
    • http://ajwellsolutions.com/uploads/1/3/0/5/130588640/xosuxi.pdf
    • http://ravengroupsf.com/uploads/1/3/0/5/130540700/xipemex.pdf
    • http://michaelgrew.net/uploads/1/3/0/2/130289645/54ef1.pdf
    • http://mynaturalhairspa.com/uploads/1/3/0/6/130621857/130621857.html#dfx+audio+enhancer+descarga+libre+ve
    • http://bit.ly/2H7IqWR
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00010f65.bin
2817454b9d6f29b22e9b57e027be40fa4fa548827e90a38552b7946ca0983d59		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x10F65 23032 bytes
font_00_sfnt_off000012d0.bin
b09d163dc2e505a0a51817ad0140e192833da31ccbb618975ca9a9887f9e85b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12D0 13096 bytes
font_01_sfnt_off00005503.bin
d80ce48f48eead3f194e984b8ffa18b15c8aa37d04b97cb051e9f90b9711b79d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5503 11272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.