Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d6f1fa6be1049ee…

MALICIOUS

PDF

33.7 KB Authoring application: ImageMagick
MD5: 433b6824aa5113804a37d923702e22e9 SHA-1: 5fd08c7964f7a56f646c059d10c9b3da8db55a17 SHA-256: 0d6f1fa6be1049eedc990337c04c199ae8873a2e93c601d7abca8c5823578a7f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, a technique often used for SEO poisoning or to distribute further malicious content. ClamAV detected this file as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and an ML classifier also flagged it as malicious with high confidence. The embedded URLs likely lead to further malicious documents or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bytewarebrothers.com/uploads/1/3/0/7/130739802/f3f7862209b.pdf
    • http://comfish.com.au/uploads/1/3/0/5/130550832/xapaboxudajovilon.pdf
    • http://verosoup.com/uploads/1/3/0/2/130271237/4262177.pdf
    • http://murphyscybercafe.net/uploads/1/3/0/7/130740069/vojubafetadiko.pdf
    • http://mywebcheetah.com/uploads/1/3/0/2/130270792/demimugabema.pdf
    • http://clearhomesolutions.net/uploads/1/3/0/4/130490106/zesoto-bowatis.pdf
    • http://warmanddryuk.com/uploads/1/3/0/6/130603811/foxaduxivazamunubude.pdf
    • http://miniactionfigure.com/uploads/1/3/0/2/130289731/jakivuw.pdf
    • http://easylivecontent.com/uploads/1/3/0/5/130588846/681772390.pdf
    • http://commandlineidiot.com/uploads/1/3/0/4/130488743/jogezo.pdf
    • http://mytorialex.com/uploads/1/3/0/4/130436298/pedunipakulebufapuje.pdf
    • http://poynorhealthandwellness.com/uploads/1/3/0/4/130476878/jamopobusesiko.pdf
    • http://mylevelbest.org/uploads/1/3/0/6/130620857/metipapegopim-rakef.pdf
    • http://aviatorsbydesign.org/uploads/1/3/0/8/130814666/forokeveru.pdf
    • http://mtdistrictlwml.com/uploads/1/3/0/4/130483417/5233194.pdf
    • http://www.stephensvanholm.com/uploads/1/3/0/5/130539553/gupepiwedijedul-xedapifeb.pdf
    • http://0tyki.bpmtc.com/uploads/1/3/0/4/130483703/130483703.html#ukulele+fingerstyle+tabs+havana

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001366.bin
7b5f6ef0264bcc8651346616c5ccbf8b2459288f7f025bab4e006653cb635674		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1366 8092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.