Malicious PDF — malware analysis report

Static analysis result for SHA-256 118411830a6059cf…

MALICIOUS

PDF

50.3 KB Authoring application: SWFTools
MD5: 7dbcfbddbc0518bfee37fb7eff700f96 SHA-1: 7e77c5702074277acdc40b9e5fbcd1a291dc6927 SHA-256: 118411830a6059cf74b284e223595e090c70134184e8953cec308ee6ab72e484
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a link farm, which is a common tactic for SEO manipulation or phishing. The document body, though heavily obfuscated, contains references to 'All sports live tv channel app' and includes several URLs that are likely part of this lure. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://neibaurart.com/uploads/1/3/0/3/130313090/lulikafi.pdf
    • http://mynorthstarcares.com/uploads/1/3/0/5/130551562/2240083.pdf
    • http://northernsound.com/uploads/1/3/0/3/130323599/5009626.pdf
    • http://azmendinglives.com/uploads/1/3/0/7/130776067/gelavitowe_sesax_vidusuwe_vomujetuzaz.pdf
    • http://bartolomeilaw.com/uploads/1/3/0/6/130605190/130605190.html#all+sports+live+tv+channel+app
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000104d.bin
ad9d3ef24ed02487302f63deeb41ecc3d72ca6c0972132405bdc6ed710a6473b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104D 8616 bytes
font_01_sfnt_off00007551.bin
908225b63e1717ce4d9443c39e5e0249165423a6f1725031e285b2c0c3b49b5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7551 2148 bytes
font_02_sfnt_off00007ed6.bin
9b6648a5fd7d7e75d265bdfcd6ad1dfa3a4429c97e7aac063535f5d40df60e29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7ED6 16088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.