Malicious PDF — malware analysis report

Static analysis result for SHA-256 0cffa27eeeb5cd74…

MALICIOUS

PDF

33.9 KB Authoring application: Nitro PDF
MD5: 27445fc6bc3ee211a44330d59e8062ab SHA-1: db4cccc76c17f449719c927515768a54ebaa9093 SHA-256: 0cffa27eeeb5cd74c22bd86b72a3eb2bc6f9f7af58d15b0723a3504061336dd7
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document exhibits characteristics of a phishing lure, employing a 'download button' heuristic and embedding a large number of links to external PDF files. The ClamAV detection and ML classifier strongly indicate malicious intent, likely to redirect users to malicious content or initiate further downloads. The embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cardsagainstcurriculum.org/uploads/1/3/0/5/130542773/nufiwafalebi.pdf
    • http://editingreality.com/uploads/1/3/0/2/130272973/1c6c4783fb05035.pdf
    • http://kidsrgone.net/uploads/1/3/0/5/130538875/xirokoni.pdf
    • http://chadwickbrown.com/uploads/1/3/0/7/130739789/1108282.pdf
    • http://www.houseofkeating.com/uploads/1/3/0/6/130621317/9883839.pdf
    • http://dollarwitch.com/uploads/1/3/0/5/130588735/roxowudasapodase.pdf
    • http://prepseattle.com/uploads/1/3/0/6/130605420/5220317.pdf
    • http://leannross.com/uploads/1/3/0/6/130621574/7850530.pdf
    • http://www.lismorecreativetilesandmosaics.com/uploads/1/3/0/7/130740456/masepep.pdf
    • http://kokopelliskorner.net/uploads/1/3/0/6/130639305/rilopobave.pdf
    • http://verandahresidences.org/uploads/1/3/0/6/130639347/8699947.pdf
    • http://nobordersadventure.voyagerwebsites.com/uploads/1/3/0/5/130538862/130538862.html#autocad+electrical+symbols+uk

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002ee7.bin
c2f6ff791629dca12ba8e3c4c5df9bf2563bea40418de3bb35c03899be574f59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EE7 7492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.