Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a812fbcb49abfae…

MALICIOUS

PDF

46.7 KB Authoring application: PDF Studio
MD5: 663979e22f2076d806e7919dce12c4d0 SHA-1: 6b00ff70a0b484ac14aec10ee95c7ba579860a76 SHA-256: 0a812fbcb49abfae9c96ec8181cad7f3ddc80812da2c625f83a89d0c43d72ab5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO spam or to distribute further malicious content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', suggesting a phishing or traffic redirection purpose. While no scripts were explicitly extracted, the embedded URLs are the primary indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9869

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jonathanecollins.com/uploads/1/3/0/3/130323567/nudusokaf.pdf
    • http://umrcsalem.org/uploads/1/3/0/6/130621465/9672137.pdf
    • http://firezoneschaumburg.com/uploads/1/3/0/5/130588727/482b71377.pdf
    • http://motionfuels-arkansas.com/uploads/1/3/0/4/130483572/regubamalepujutibedi.pdf
    • http://visitoz.org/uploads/1/3/0/2/130270745/6189588.pdf
    • http://strongherfasther.org/uploads/1/3/0/6/130620420/4854981.pdf
    • http://ninaceledonio.com/uploads/1/3/0/3/130313632/c7742.pdf
    • http://mixedattainmentteaching.com/uploads/1/3/0/2/130291434/fojuni.pdf
    • http://learnonlinefast.com/uploads/1/3/0/6/130640092/130640092.html#circular+checkbox+android+github
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000023f7.bin
555eb871b28216aeb88116f252ddf32f1224aec95b1aceeedde6bb6a071b0dfb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23F7 2104 bytes
font_01_sfnt_off000030f2.bin
2d65761a5bc4f9f82b54aa1a6389ced5838b8f7ac348e00ccfbf0fa7630b5438		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30F2 9304 bytes
font_02_sfnt_off000074f1.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74F1 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.