Malicious PDF — malware analysis report

Static analysis result for SHA-256 05c9bbb0044cf87b…

MALICIOUS

PDF

38.7 KB Authoring application: Poppler-utils
MD5: 1347c5bcebb14257ebb4de59d3ffd8ab SHA-1: 7c75b294b58c8009fab608bb00d3fd7613ce421f SHA-256: 05c9bbb0044cf87bb98a70b18e616384eec19c78ba6dfe9326ce98c1c5cbf7ab
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, a technique often used for SEO manipulation or to distribute malicious payloads. ClamAV identified this as Pdf.Phishing.TtraffRobotInstall, and a machine learning classifier also flagged it as malicious. The embedded URLs are the primary indicators of compromise, suggesting a phishing or content distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://heidiokada.com/uploads/1/3/0/4/130488387/5cb55c8d1.pdf
    • http://222-big-bon.site/uploads/1/3/0/2/130291536/tobowifukazi.pdf
    • http://hostmaster.bridgendtennis.club/uploads/1/3/0/6/130639593/zafukuper-fudibawata.pdf
    • http://kevinryan223.com/uploads/1/3/0/6/130639239/2d1aab467a.pdf
    • http://fourleafsurgical.com/uploads/1/3/0/5/130588679/4160589.pdf
    • http://rideandtrain.com/uploads/1/3/0/5/130589288/lisozifobovupe.pdf
    • http://bjarkalundur.is/uploads/1/3/0/3/130313153/8986182.pdf
    • http://hostmaster.tauntonwomensaid.org.uk/uploads/1/3/0/4/130483349/1138773.pdf
    • http://yukonpix.com/uploads/1/3/0/4/130489417/3182923.pdf
    • http://uniqueprovisions.com/uploads/1/3/0/6/130605044/454e47f4.pdf
    • http://hourblackjack.com/uploads/1/3/0/5/130543996/32edd733e6ba7.pdf
    • http://country-lane.net/uploads/1/3/0/8/130814176/5245439.pdf
    • http://www.moyasgin.com/uploads/1/3/0/2/130289346/winitej_wetexodadupa_vebaz.pdf
    • http://rewitness.com/uploads/1/3/0/4/130488213/8c6dc3769fe41.pdf
    • http://denvergolfpartee.com/uploads/1/3/0/6/130621603/c77ae.pdf
    • http://mysticnailsbysusi.de/uploads/1/3/0/7/130739864/nupabufajeku.pdf
    • http://kspencerdesigns.com/uploads/1/3/0/9/130969173/damujajunixik_sopelixo_xarepasunutofe_misoga.pdf
    • http://moonstoneghosts.com/uploads/1/3/0/7/130776056/tukojasigumuv-suxux.pdf
    • http://jeronashford.com/uploads/1/3/0/2/130288401/wopulilujebage_xulidutej.pdf
    • http://smimarketingservices.com/uploads/1/3/0/7/130739952/xavosatowu.pdf
    • http://sportsphysiolab.com/uploads/1/3/0/7/130739895/76e20f00673.pdf
    • http://www.atlantadawn.com/uploads/1/3/0/2/130287500/nijukimulezupulumoz.pdf
    • http://gbenglish.org/uploads/1/3/0/9/130969312/vizuwojozana.pdf
    • http://thetinyballerinaproject.com/uploads/1/3/0/7/130739885/wosexafovanunav_bimipanepeno_xuziranuwawobif.pdf
    • http://1sx.brdge.org/uploads/1/3/0/7/130775108/130775108.html#lg+air+conditioner+remote+control+6711a20028b

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000327a.bin
5012893a2b987f0e257886a5891dbad561d7cbf10089493d86899efaec5a14d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x327A 8248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.