Malicious PDF — malware analysis report

Static analysis result for SHA-256 104921c10128e4e7…

MALICIOUS

PDF

44.0 KB Authoring application: Nitro PDF
MD5: 96144566d90373b72565e57dc5db822c SHA-1: 816012f6c7f52beac47f6014b088a6e97bcda6d5 SHA-256: 104921c10128e4e7ff7376165ed72d6b6eb2e42e17f280a8ee760907848a718f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO poisoning or phishing. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. While no scripts were explicitly extracted, the embedded URLs are the primary indicators of malicious activity, likely leading to further malware or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://duwoxemojow.weebly.com/uploads/1/3/0/4/130483346/856c5271.pdf
    • http://bizelirobo.audiostart32.icu/uploads/2020/01/28/756f0c4d773.pdf
    • http://gossort.com/uploads/2020/01/28/pavawomigukilej-xulubupon.pdf
    • http://nabe.privat-market.ru/uploads/2020/01/28/tugejifetirige-fekowi-bomoxo.pdf
    • http://gof.shoprixo.com/uploads/2020/01/27/a0cb9.pdf
    • https://zozaxoxovu.weebly.com/uploads/1/3/0/5/130588830/walekanuvafedenitodi.pdf
    • http://ziwo.tmass.online/uploads/2020/01/27/bunizojenu.pdf
    • http://pes.ggdmetals.site/uploads/2020/01/28/6463390.pdf
    • https://rokimapaperoj.weebly.com/uploads/1/3/0/5/130540040/801bc2f3.pdf
    • https://ganekosuxabobon.weebly.com/uploads/1/3/0/5/130546333/nakuzenupige_rusifaporetat.pdf
    • https://rofigigesa.weebly.com/uploads/1/3/0/3/130323630/xiter_jixevuwonotofa_nejepibijapiti_wulub.pdf
    • https://vimubuwofol.weebly.com/uploads/1/3/0/2/130291585/januso-bibuvejasiv-waxab.pdf
    • http://piwip.audiostart32.icu/uploads/2020/01/27/5979765.pdf
    • https://rudulakafulala.weebly.com/uploads/1/3/0/3/130379517/fugigesulawatako.pdf
    • http://trubdesign.com/uploads/2020/01/28/f4dc9a77540.pdf
    • http://bisudadiw.ekzolocin-ot-gribka.pro/uploads/2020/01/28/de4a804d1249c.pdf
    • http://socutepussy.com/uploads/2020/01/28/nigotepapakes.pdf
    • http://buluzumina.onlyoil.ru/uploads/2020/01/28/ebd49dd63c691ab.pdf
    • http://viptip.pro/uploads/2020/01/27/keneridubawor.pdf
    • http://ledaso.tripmakanangin.com/uploads/2020/01/28/696499.pdf
    • https://kowelutixo.weebly.com/uploads/1/3/0/4/130488486/130488486.html#comptine+d%27un+autre+%C3%A9t%C3%A9+sheet+music+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015eb.bin
68d92b8941db67eac72ee103c4229cdc2002b7c71421020d048b90c0ebd42c87		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15EB 10620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.