Malicious PDF — malware analysis report

Static analysis result for SHA-256 08b2c731dafe7d63…

MALICIOUS

PDF

47.1 KB Authoring application: ImageMagick
MD5: 1b9bd8003e4afb56eed261f128bca76a SHA-1: 31242d05afb727766cfd6fce3035b36abb88b6d3 SHA-256: 08b2c731dafe7d635b3deff0fd7ebad09c94d7a8ce6f9ca619133b29d2d39baf
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files across various domains, indicative of a link farm or a distribution network. ClamAV identified this as Pdf.Phishing.TtraffRobotInstall, suggesting a phishing or traffic-generation scheme. No scripts were extracted, but the sheer volume of external links suggests an attempt to direct traffic or deliver further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://allisonlynne.com/uploads/1/3/0/6/130605238/wazuwaxosowi.pdf
    • http://brightpassiveincome.com/uploads/1/3/0/4/130435791/2532300.pdf
    • http://ncaavideogame.com/uploads/1/3/0/7/130740055/nonibi-bigewoxuva.pdf
    • http://ezekius.net/uploads/1/3/0/6/130604140/wojog.pdf
    • http://blackbirdsreply.com/uploads/1/3/0/2/130271096/720036.pdf
    • http://technologypassport.com/uploads/1/3/0/7/130739696/jonokep.pdf
    • http://nataliesnutrition.ca/uploads/1/3/0/2/130289430/7870c2f7b.pdf
    • http://selfsufficientteen.com/uploads/1/3/0/3/130313564/8467864.pdf
    • http://hodllife.ca/uploads/1/3/0/4/130489175/16492.pdf
    • http://topendtour.com.au/uploads/1/3/0/2/130288924/771aea5b5ace1.pdf
    • http://kenrictaylor.net/uploads/1/3/0/5/130543074/33ffa60e3.pdf
    • http://raysohn.com/uploads/1/3/0/6/130621022/zufogu-wugejerefepo-pidijoxotubi-terefep.pdf
    • http://beckandbloom.com/uploads/1/3/0/7/130738848/8605c7585d58970.pdf
    • http://austintxtherapists.com/uploads/1/3/0/3/130323485/kipusejeziwu-xuvogu.pdf
    • http://mesquitesitting.com/uploads/1/3/0/4/130476255/2131515.pdf
    • http://riverplus-mes.com/uploads/1/3/0/6/130639805/dunaz-denudamefipi-lirese-zalajez.pdf
    • http://belleamieridingacademy.com/uploads/1/3/0/3/130323518/33df595aae9c.pdf
    • http://richardmackson.com/uploads/1/3/0/4/130489102/biduwimipapa.pdf
    • http://akademikreatifindonesia.com/uploads/1/3/0/7/130775455/5772428.pdf
    • http://thescottnoe.com/uploads/1/3/0/3/130323235/b692f5ebd76.pdf
    • http://enthrone55.pleasingfood.com/uploads/1/3/0/2/130291552/130291552.html#hamlet+act+4+summary+short

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005801.bin
a6339bff992a77a792254a6c090a34042e99368fcd682c231ee2ef46e3f1cb0d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5801 8508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.