Malicious PDF — malware analysis report

Static analysis result for SHA-256 10e18d30a1d3899a…

MALICIOUS

PDF

76.8 KB Authoring application: Adobe PDF Library 9.0
MD5: 9b7eef14584b7abb99c30788569a87b9 SHA-1: 2ed114dd6f1ee9ecdf173b749f5b09bb18e04b45 SHA-256: 10e18d30a1d3899aaf7fcd7af7616722a0dd234463a547252a4794691968e492
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to host phishing content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and a machine learning classifier also flagged it as malicious. The presence of embedded URLs and the heuristic 'PDF_SEO_LINK_FARM' strongly suggest a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mijn-maatschappij.nl/uploads/1/3/0/8/130874045/fisuni-kadajojoduwuje-bomogew.pdf
    • http://auralara.org/uploads/1/3/0/6/130604321/xubisujofowuwut_fejod.pdf
    • http://www.atsservices.org/uploads/1/3/0/9/130969695/fasufukej.pdf
    • http://thepro3001.com/uploads/1/3/0/7/130775766/xinas.pdf
    • http://www.7mm178.com/uploads/1/3/0/6/130620783/kizogatela.pdf
    • http://pinetoplodge.com/uploads/1/3/0/7/130739472/50b7ce77955a4ae.pdf
    • http://www.edutuneswithmissjenny.com/uploads/1/3/0/2/130289776/6644960.pdf
    • http://royanglada.com/uploads/1/3/0/6/130604127/2770390.pdf
    • http://mountaincreeklodging.com/uploads/1/3/0/7/130775489/pedaponoxaxu.pdf
    • http://mpowerbuilding.ca/uploads/1/3/0/6/130604473/tivipo_nivapiba_senevupe_gizezezajalo.pdf
    • http://annabluhdorn.com/uploads/1/3/0/7/130738681/a7081be3fbb9278.pdf
    • http://pizzlepaints.com/uploads/1/3/0/4/130483923/wopidiviz.pdf
    • http://leanqueen.co.uk/uploads/1/3/0/6/130622058/d611b7f88855.pdf
    • http://rouseinsuranceandfinancial.com/uploads/1/3/0/4/130490410/kipoviwer.pdf
    • http://1minutebrush.com/uploads/1/3/0/4/130488850/zulobotoxari-xexoku-zuvukuxudeja.pdf
    • http://www.learntarotcards.com/uploads/1/3/0/8/130874371/fizafulanubenuzetaf.pdf
    • http://abel2skischool.com/uploads/1/3/0/2/130289392/5352052.pdf
    • http://subdomain.morales-vandenbush.com/uploads/1/3/0/8/130813757/felozogojewomi.pdf
    • http://bridesmaiddressesnewhampshire.com/uploads/1/3/0/5/130551257/7586106.pdf
    • http://www.brittanygiametta.com/uploads/1/3/0/3/130323535/boluxita.pdf
    • http://ncballcounseling.com/uploads/1/3/0/6/130605405/f3a858c73.pdf
    • http://jailhouselawyers.com/uploads/1/3/0/7/130775150/posuzopigovupuxat.pdf
    • http://x0477123xstreamtravel.xsideas.com/uploads/1/3/0/6/130621741/130621741.html#free+download+rapidex+english+speaking+course+book+in+hindi
    • http://fedorahosted.org/lohit
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071bd.bin
da058afa3b19b87446ba8bb39e3c3b493f5d94fc5440b3d97d9d5df75f8e5634		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71BD 16092 bytes
font_01_sfnt_off00008619.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8619 1388 bytes
font_02_sfnt_off000090c4.bin
44fa339da88235c34bd78d3dfe59198bb0a3a948ddc423332f3ede5adff0146b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90C4 19092 bytes
font_03_sfnt_off0000c600.bin
7377478da57b57809833ca2b3a13ab994e780c9f9a8baad6ae997122309f1787		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC600 11216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.