Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f99e42cc26d994d…

MALICIOUS

PDF

53.0 KB Authoring application: Poppler-utils
MD5: b55dbba2a5aed86cd28c368f62dbaa3e SHA-1: 89e96dca073610ed5107ff05047dfee49300358e SHA-256: 0f99e42cc26d994dc9336f10fed575ab119cc352b2a90bd63850772dcd492472
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to distribute further malicious content. ClamAV and ML classifiers strongly indicate maliciousness, flagging it as phishing or malware. The embedded links likely serve as a lure to download additional malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://midicicastlerock.com/uploads/1/3/0/5/130551162/nasopodemotewizoju.pdf
    • http://mykayscreations.com/uploads/1/3/0/5/130551417/digupulobokefazo.pdf
    • https://rawapuxiri.weebly.com/uploads/1/3/0/5/130551338/bukutag.pdf
    • http://missbehave.website/uploads/1/3/0/3/130313015/tuwogaxivomilurode.pdf
    • http://globalwarming1.com/uploads/1/3/0/6/130604812/5820250.pdf
    • http://auradayspasalon.com/uploads/1/3/0/5/130540097/e53f389f5103b.pdf
    • http://modtran8.net/uploads/1/3/0/5/130548070/8535573.pdf
    • http://xlntcoffee.com/uploads/1/3/0/5/130540420/24fd6857e.pdf
    • http://nurtureministries.com/uploads/1/3/0/2/130271214/14b795.pdf
    • http://sweetestdreams.org/uploads/1/3/0/7/130775217/130775217.html#critical+theory+today+free+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001444.bin
4c18c15b0f36715fb2cd81e69e421ccf32b7bc5e2f1750e8cc9e94891d97885d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1444 8448 bytes
font_01_sfnt_off000094e7.bin
79ebf19eb681fc7434e1dee28086301459de529d1821a878a7ddcf2def0f2a83		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94E7 2628 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.