Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f1d3e903abf3773…

MALICIOUS

PDF

48.5 KB Authoring application: QPDF
MD5: f6c8d6ee68ec019e8e0e1f933c15e4ff SHA-1: d3eb8fcdf07469c3b5ae6d24e56d0f4338b4ae66 SHA-256: 0f1d3e903abf37734c011a302b7687a1163957f877d32d5a0227bc00ca10fa86
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and an ML classifier also flagged it with high confidence. The document body itself is heavily obfuscated and contains many of the same URLs, suggesting a coordinated effort to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://summerfoxart.com/uploads/1/3/0/2/130289232/walegizariv_fazizibalozali_keluwumofitijat_tavixi.pdf
    • http://alcoholfreepregnancymn.com/uploads/1/3/0/4/130483396/905c448c585d.pdf
    • http://1221citycenteroakland.com/uploads/1/3/0/6/130621784/geruparepavug.pdf
    • http://mhswarriorettes.com/uploads/1/3/0/3/130323632/737459.pdf
    • http://projectforereach.com/uploads/1/3/0/5/130590741/11689f82.pdf
    • http://dickbirdphoto.com/uploads/1/3/0/3/130323693/9efa889d52d6b29.pdf
    • http://kexig.rusfermer.info/uploads/2020/01/29/gazupebutibif.pdf
    • http://youthinkbrand.top/uploads/2020/01/29/bowojina-tetuma-waxim-jaselu.pdf
    • http://marklawfirms.com/uploads/1/3/0/5/130544746/wamof.pdf
    • http://maisonmobilemoveisplanejados.com/uploads/1/3/0/6/130621896/5d3d381192.pdf
    • http://niniwotol.randkujruchaj.online/uploads/2020/01/28/nabesakutudije.pdf
    • http://nashobavalleyextractco.com/uploads/1/3/0/5/130588789/xiduvegofefu.pdf
    • http://nangrayphotography.com/uploads/1/3/0/7/130775228/130775228.html#partitura+bohemian+rhapsody+piano+facil
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001620.bin
5826dfea0f8017197d11c5c35f78e2c6c07337ba04feaa9c33676002d8c897fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1620 11164 bytes
font_01_sfnt_off00006cb5.bin
5d7ebd720715cd86529581f1d40cc643f68465477bd430d4be5ff736bc95f798		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CB5 16268 bytes
font_02_sfnt_off000081f6.bin
192e402e4ae2605933518888c4c4814f2abc1640ad185ae3d96822093e32a7d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81F6 2768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.