Malicious PDF — malware analysis report

Static analysis result for SHA-256 06d7a9f84c8e5f23…

MALICIOUS

PDF

45.6 KB Authoring application: pdf-parser
MD5: ffccf00aa2f208e791eef6b7ce1a0576 SHA-1: f663db66940e72dc028815fe11ba4d431484fe63 SHA-256: 06d7a9f84c8e5f239f5f97999575b7763d0804b61debad3929ad221fb379072d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, identified as a link farm, which is a common technique for SEO spam or distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. While no scripts were explicitly extracted, the nature of the link farm suggests it could be used to redirect users to malicious sites or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sea-riders.com/uploads/1/3/0/3/130313698/surimagojiwag.pdf
    • http://tobler-design.ch/uploads/1/3/0/3/130313067/90beb988.pdf
    • http://xel.tamitatami.pro/uploads/2020/01/28/5881be352.pdf
    • http://kokomotans.com/uploads/1/3/0/6/130621000/9445704.pdf
    • http://misabeppa.com/uploads/1/3/0/5/130546742/2042076.pdf
    • https://kulovegubitoga.weebly.com/uploads/1/3/0/5/130588968/tifofojuvajav.pdf
    • http://phillywaxing.com/uploads/1/3/0/5/130540437/gexisetakit.pdf
    • https://werozuzava.weebly.com/uploads/1/3/0/4/130489080/pagabexeroli_vujowaxote_wixejuje.pdf
    • http://djsacademy.com/uploads/1/3/0/2/130274319/130274319.html#cartoon+anime+online+apk
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001192.bin
650c4370e1f0716afc0a1a815098aab73c08aba44098f732a92adcbaabcbe60e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1192 8392 bytes
font_01_sfnt_off00006a61.bin
0e681f9c5b8551561fb4ebd6139f78397d9111108f124583bcd84be97acba7ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A61 16468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.