Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bb9bff20baf70dc…

MALICIOUS

PDF

89.5 KB Authoring application: ImageMagick
MD5: 9d916976f36d3ec1d836df96dc060d13 SHA-1: 46e652929e3f8b2037aeee7a4f5852455209691c SHA-256: 0bb9bff20baf70dc0f7f623092fe4e71dbeeb29727bd70e6b2c1c7586fb7ee4b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files hosted on various domains, indicative of a link farm or phishing campaign. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output further support its malicious nature. No scripts were extracted, but the sheer volume of outbound links suggests an attempt to direct users to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9967

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://azyshopping.com/uploads/1/3/0/3/130323211/rakikefidugaf_gowuxejezu.pdf
    • http://skillassoundandvision.com/uploads/1/3/0/5/130551351/2131074.pdf
    • http://battlecreekendo.com/uploads/1/3/0/6/130620651/fekilujuzufizo.pdf
    • http://gowickedkettlecorn.com/uploads/1/3/0/5/130550697/602940c3400.pdf
    • http://pigga.com/uploads/1/3/0/5/130550920/tomijirivet.pdf
    • http://competetennismerchandise.co.uk/uploads/1/3/0/2/130270986/5226904.pdf
    • http://speedytowingspares.co.za/uploads/1/3/0/4/130483125/30abd146135a8.pdf
    • http://offsite.studio/uploads/1/3/0/5/130588388/teremorovodamo-jurivuze-dupuk-moropuxojib.pdf
    • http://myhaydenisland.org/uploads/1/3/0/2/130287940/a589032a74.pdf
    • http://maeganblakemore.com/uploads/1/3/0/8/130874329/8291832.pdf
    • http://tawnellhobbs.com/uploads/1/3/0/3/130323794/4889072.pdf
    • http://nancyyenshipleymd.com/uploads/1/3/0/7/130739416/wupan.pdf
    • http://negociofuxion.com/uploads/1/3/0/7/130740212/wenurawi.pdf
    • http://randakksstaging.com/uploads/1/3/0/8/130814430/5593448.pdf
    • http://windswept.co.za/uploads/1/3/0/5/130588457/rujedigodir.pdf
    • http://aestheticsofleadership.com/uploads/1/3/0/5/130551299/3458202.pdf
    • http://emilysawamura.com/uploads/1/3/0/5/130588927/6303864.pdf
    • http://808enterprises.net/uploads/1/3/0/6/130639450/judewilopikobog_libubumijanog_bujewijixabiru.pdf
    • http://xc-kvhmz.butterfly520.com/uploads/1/3/0/5/130550832/jesededa.pdf
    • http://ianosventures.com/uploads/1/3/0/2/130292179/bagesipun_nezud_pelamovul_vovusiduguko.pdf
    • http://skinpigmentdisorders.com/uploads/1/3/0/2/130289662/8335210.pdf
    • http://moniquewgyoga.com/uploads/1/3/0/5/130590482/bakuno-robug-livanofo.pdf
    • http://lawyerliving.com/uploads/1/3/0/5/130589415/6878009.pdf
    • http://agentlemansartwork.com/uploads/1/3/0/4/130477335/2637134.pdf
    • http://suppy-taiwan.com/uploads/1/3/0/5/130589090/130589090.html#anandabazar+patrika+today+in+bengali+font+murshidabad
    • http://fedorahosted.org/lohit
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000083a1.bin
ca889182d22413b1a5b6446cd5d954c095bfc2c8b2fec1022b19199100617195		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83A1 16028 bytes
font_01_sfnt_off000097bc.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97BC 1388 bytes
font_02_sfnt_off0000a3de.bin
3bbb9a799c40a2da4469ee5b8d8b603b204f5797e24e6558ee3ecdb4eb770a84		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3DE 35888 bytes
font_03_sfnt_off00010438.bin
63d83a07e948a4a8b15b9c688697af74160c3511cecf8ebb7e0b84186e19b52d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10438 5740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.