Malicious PDF — malware analysis report

Static analysis result for SHA-256 054c01231764713e…

MALICIOUS

PDF

44.9 KB Authoring application: Poppler-utils
MD5: 42e4add11fdce96a99b02c8dcb14670a SHA-1: 2b482003b52bc11f1a79a868062ea39490d49f10 SHA-256: 054c01231764713e5ebff28549f759e42f66a4725275adf2343dd90f4ef26904
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ML classifiers and ClamAV, specifically as a phishing or traffic-robot distribution. The heuristic analysis revealed a large number of embedded external PDF links, with the first URL being http://yawslegin.com/uploads/1/3/0/6/130621826/b39eb91fec5db6.pdf. This suggests the document's primary purpose is to redirect users to a vast network of other PDF files, likely for SEO spam or to serve as a distribution point for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yawslegin.com/uploads/1/3/0/6/130621826/b39eb91fec5db6.pdf
    • http://keshashouseoftranquility.com/uploads/1/3/0/2/130272247/7447814.pdf
    • http://darklabs.co/uploads/1/3/0/5/130545985/4680768.pdf
    • http://celebritydiethealth.com/uploads/1/3/0/3/130379529/botuxisun.pdf
    • http://kitchencocktails.net/uploads/1/3/0/4/130476523/1076189.pdf
    • http://nekomimilisa.com/uploads/1/3/0/5/130540359/jazikudebi.pdf
    • http://nationalcasinomarketing.com/uploads/1/3/0/5/130588620/4157044.pdf
    • http://misscarolsartintheattic.com/uploads/1/3/0/6/130639541/suzasizuxesa.pdf
    • http://nightowlcraftery.com/uploads/1/3/0/5/130551176/9546098.pdf
    • http://sydneydudley.com/uploads/1/3/0/6/130639685/5711387.pdf
    • http://xamanismo.info/uploads/1/3/0/2/130287506/8143528.pdf
    • http://coleshah.com/uploads/1/3/0/6/130620267/6673496.pdf
    • http://theelliottsisters.com/uploads/1/3/0/5/130543545/sovedusuj-xabolosadi-xosozazanulovam-texuw.pdf
    • http://benjaminsmithfineart.com/uploads/1/3/0/4/130476944/dugune_dejojuzine.pdf
    • http://booksandplant.com/uploads/1/3/0/4/130483393/nesinigeb_poris_tezumemuw_pamamepolivoza.pdf
    • http://platosretreat.net/uploads/1/3/0/5/130551229/3456412.pdf
    • http://nexts-lab.com/uploads/1/3/0/2/130272280/7827427.pdf
    • http://allnewit.com/uploads/1/3/0/5/130543059/nixuf.pdf
    • http://islamophoria.com/uploads/1/3/0/2/130291784/130291784.html#grammar+exercises+for+upper+intermediate+students
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002ed1.bin
330464a6acc803da3fb34c4c599bad942c5546d65e731cd319c37e5c31619ddb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2ED1 1740 bytes
font_01_sfnt_off00003703.bin
fee8d81852334122717895109c2059c260d17b6cbcf32fdac71b28e55c2762cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3703 16508 bytes
font_02_sfnt_off00005075.bin
f8822e35e97020e2245f7e409e377c4290350ffd3974fced57f1e77837287aa6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5075 8444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.