Malicious PDF — malware analysis report

Static analysis result for SHA-256 121625dfd990bc80…

MALICIOUS

PDF

43.3 KB Authoring application: Solid Converter PDF
MD5: 1bdfd1aad01e421b8dfdfdce10dbe20a SHA-1: 11336984c8da23f909bc5e57d008ce30d044073b SHA-256: 121625dfd990bc8038bbab5168949854a045eba38eedc65d7df8ad1937e8ebcd
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute further malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as Pdf.Phishing.TtraffRobotInstall. The primary attack pattern involves directing users to a link farm of external PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theshootersedge.us/uploads/1/3/0/2/130287401/9928921.pdf
    • http://meridiansq.com/uploads/1/3/0/6/130639226/gafime_wikeximape_xadiguxemesaza_voxixafomuvap.pdf
    • http://turkeycreekretrievers.com/uploads/1/3/0/5/130539009/zitedep.pdf
    • http://weddingsinseychelles.com/uploads/1/3/0/5/130551429/1985970.pdf
    • http://polmaksondaj.com/uploads/1/3/0/4/130488891/lodafuxomuviveledex.pdf
    • http://precisionimprint.net/uploads/1/3/0/6/130604833/xobuwef_dasotivod_vazofobulababex_sulefirojufofo.pdf
    • http://prairienanotech.net/uploads/1/3/0/7/130738646/3771341.pdf
    • http://doctors-daughters.com/uploads/1/3/0/4/130490876/5da7e20.pdf
    • http://line.project-inspire.global/uploads/2020/01/28/minojogus-jipufigedekak-werefizexavebi.pdf
    • http://turpinenterprises.com/uploads/1/3/0/5/130551625/padituxuno.pdf
    • http://vehicleloanusa.com/uploads/1/3/0/6/130605230/2349767.pdf
    • http://us.momotombochocolatefactory.com/uploads/1/3/0/3/130313220/130313220.html#boy+scout+second+class+rank+requirements+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000132d.bin
bb03cf231524d419991c7f7e74134360631a2969a7cc38e3da4552bb8f5ed82c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x132D 7856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.