Malicious PDF — malware analysis report

Static analysis result for SHA-256 04328b88c7eb0eb0…

MALICIOUS

PDF

41.2 KB Authoring application: pstoedit
MD5: 330579cfd6aac60094086827b1ac0c68 SHA-1: 04eb22b4d8f6ae0fdeabbcc6fc77ae41e6a44435 SHA-256: 04328b88c7eb0eb0e4532842c7ade434e1bb57bf78789bad8e5b92abb510bb2f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, indicative of a link farm used for SEO poisoning or phishing. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly suggest malicious intent. The document body, though heavily obfuscated, contains references to URLs that likely serve as download locations for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bonniesthlm.com/uploads/1/3/0/4/130477018/sorem.pdf
    • http://andweber.com/uploads/1/3/0/6/130605346/6213fb9a1d38d18.pdf
    • http://fullbloomlife.com/uploads/1/3/0/7/130775400/pepam-safesusij-lufej.pdf
    • http://the-boujee-boutique.com/uploads/1/3/0/6/130621620/bosugevo_zugalujim_fanuvututuvuv.pdf
    • http://protectsanbenito.org/uploads/1/3/0/6/130620356/1152315.pdf
    • http://www.singaporedrumschool.com/uploads/1/3/0/7/130775762/85a7a803de.pdf
    • http://priorlakeselfstorage.com/uploads/1/3/0/6/130621209/vamuterak.pdf
    • http://writerswithroomtobloom.com/uploads/1/3/0/5/130589147/firopiguwotob_xekemubebukero_jakez_figizofe.pdf
    • http://society21.com/uploads/1/3/0/4/130435717/sisuzat.pdf
    • http://fuckdoors.com/uploads/1/3/0/7/130739789/2102467.pdf
    • http://www.cryptocurrencymadness.com/uploads/1/3/0/3/130313089/c11a558c15029.pdf
    • http://www.westcoastclassicshow.com/uploads/1/3/0/4/130489475/5106867.pdf
    • http://mta-sts.clivip.pt/uploads/1/3/0/3/130313022/3bfe9669ff366.pdf
    • http://greatlakesint.com/uploads/1/3/0/6/130639689/1430419.pdf
    • http://morganmwilliams.com/uploads/1/3/0/7/130739028/nimarek-wawejuwobi.pdf
    • http://princess-crown.lucky1st.com/uploads/1/3/0/4/130488412/130488412.html#exercises+to+strengthen+leg+before+acl+surgery

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000046d4.bin
f706ded61a3af2c4a756a289a2a6f552249a40224bbe3b8cdf1e6f1476a9c5b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x46D4 7776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.