Malicious PDF — malware analysis report

Static analysis result for SHA-256 079ba15e89d0e6a6…

MALICIOUS

PDF

35.4 KB Authoring application: Adobe PDF Library 9.0
MD5: 80b23ec3c2c00250b86704764fa3ead2 SHA-1: 2298ca073b97104b2a6fda58606f6a744ba5d64d SHA-256: 079ba15e89d0e6a6ba5cc6e732536f92a534118b2917b17b97c39fbf45571f07
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to manipulate search engine results or distribute a large volume of content, potentially malicious. The ClamAV detection and ML classifier further support its malicious nature, likely as a phishing or redirection mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://misbailes.com/uploads/1/3/0/6/130604250/b9f34e0087.pdf
    • http://fastblueprints.com/uploads/1/3/0/5/130588849/banozipevujegab.pdf
    • http://webdisk.drabis.com/uploads/1/3/0/6/130604529/zowitumufariwu.pdf
    • http://collier-pave.com/uploads/1/3/0/2/130288383/ramab-kizojikazaze-gaxijomibi.pdf
    • http://rowlandhomeappliance.com/uploads/1/3/0/5/130540208/6287639.pdf
    • http://rajaampatdiveguide.com/uploads/1/3/0/4/130476342/7c6103b440c.pdf
    • http://agenkastam.com/uploads/1/3/0/2/130289163/defodi.pdf
    • http://casadelloco.com/uploads/1/3/0/4/130476452/6212805.pdf
    • http://madeiradaarca.com/uploads/1/3/0/2/130273850/5233965.pdf
    • http://craigheadcounty4hrabbitclub.com/uploads/1/3/0/7/130776167/6614145.pdf
    • http://whiskeypeak.com/uploads/1/3/0/3/130324418/4401e1aadf7102a.pdf
    • http://delphifm.com/uploads/1/3/0/2/130288729/a4182c8853b2df9.pdf
    • http://ineavet.com/uploads/1/3/0/8/130873737/2a44cb5.pdf
    • http://cjentzart.com/uploads/1/3/0/8/130874410/budizek.pdf
    • http://ncsocietyofengineers.com/uploads/1/3/0/6/130604735/dadorijezotubek_dofiv_limufatapejo_nateboxeji.pdf
    • http://myknittingblog.com/uploads/1/3/0/4/130435571/1747945.pdf
    • http://sharedtravel.voyagerwebsites.com/uploads/1/3/0/3/130323407/130323407.html#guitar+exercises+to+get+better

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002ecc.bin
57e3131821f5aa2b3754451d731c8210505e150fbe5377703b4a28a546ef7d80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2ECC 7900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.