Malicious PDF — malware analysis report

Static analysis result for SHA-256 1218337f6502f7d8…

MALICIOUS

PDF

41.1 KB Authoring application: Pdftk
MD5: 823e392aac88907f043fe71e8c05e491 SHA-1: f422ed3189b3447edc2407ebbb963d8f36de5ad6 SHA-256: 1218337f6502f7d8c60af53cdf667232c9a224c659e5883fdd77bbbcc18b001a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified as a PDF_SEO_LINK_FARM heuristic. ClamAV also detected this as Pdf.Phishing.TtraffRobotInstall, indicating a phishing or malicious redirection attempt. The embedded URLs are likely used to distribute malware or lead users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mmarconsultoriodeenfermeria.com/uploads/1/3/0/6/130604599/5448073.pdf
    • http://mongomuscleapparel.com/uploads/1/3/0/5/130551898/7187181.pdf
    • http://opossumpouchwildlife.com/uploads/1/3/0/4/130477083/efd6e22.pdf
    • http://blipshows.com/uploads/1/3/0/5/130550729/7843207.pdf
    • http://truechubbo.com/uploads/1/3/0/8/130873990/0d9a9.pdf
    • http://yogaschoolkit.com/uploads/1/3/0/7/130738641/xafutiba_supojanu.pdf
    • http://10komobile.net/uploads/1/3/0/7/130739200/8972724.pdf
    • http://acefireplaceandchimneysweep.com/uploads/1/3/0/7/130775182/sexofedunozogas-vomibemagavif-zabapafidibu-donowibavivoxu.pdf
    • http://dawnlindsayviolin.com/uploads/1/3/0/5/130551325/xalorudovolefusej.pdf
    • http://travelruscruise.com/uploads/1/3/0/4/130476579/tigodebekigu.pdf
    • http://myconnectutility.com/uploads/1/3/0/2/130287943/nonotedabifedotef.pdf
    • http://vestiniimports.com/uploads/1/3/0/7/130740450/eee1a98111fbcf.pdf
    • http://reikijparent.com/uploads/1/3/0/5/130551607/6abbe62ea6f4.pdf
    • http://nesoinc.com/uploads/1/3/0/7/130775537/zumemikomekarid-waxuluzid.pdf
    • http://aseah.com/uploads/1/3/0/7/130740376/a62fc04c47.pdf
    • http://calmongoods.com/uploads/1/3/0/7/130775825/2244eda57.pdf
    • http://mineralintelligencecapital.com/uploads/1/3/0/3/130324065/tawopesibozes.pdf
    • http://paperdolls.info/uploads/1/3/0/5/130589217/bofabej_lujixoga.pdf
    • http://reclaimyourhealth.info/uploads/1/3/0/7/130739559/9361394.pdf
    • http://lakewayelmer.com/uploads/1/3/0/2/130289732/bixububugudu.pdf
    • http://weblifefinancial.com/uploads/1/3/0/6/130639283/fosedavawijukin_dovel.pdf
    • http://sosdetail.com/uploads/1/3/0/6/130605012/kugurimaroxedozado.pdf
    • http://sweetlyavas.com/uploads/1/3/0/7/130738740/6518954.pdf
    • http://n0.net/uploads/1/3/0/4/130489006/vatonodemon.pdf
    • http://diamondmarvel.com/uploads/1/3/0/4/130489431/dafutobu.pdf
    • http://9oeyv.slpny.com/uploads/1/3/0/6/130620940/130620940.html#biotic+factors+of+freshwater+biomes

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003e5e.bin
c61d03b55416e8873dc288663ad2df123fe035021342f76a6aa8a4d4f8ed7f7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E5E 7284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.