Malicious PDF — malware analysis report

Static analysis result for SHA-256 121dc4f35e01720b…

MALICIOUS

PDF

37.9 KB Authoring application: Pdftk
MD5: e52d3dc9d0cee28f5897c6126c90c141 SHA-1: fb43916f16a0c87245a0fe595f6391fb47b373a7 SHA-256: 121dc4f35e01720bf27c5c194af7b240171e92b4cbb791315a1918d9a3b09578
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. The document body also contains these links, suggesting a lure to download further malicious PDF files. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent, likely related to phishing or malware distribution. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://printingpressrollers4less.com/uploads/1/3/0/4/130488229/95620191e64e1d7.pdf
    • https://zowovexinopop.weebly.com/uploads/1/3/0/5/130590596/dujemalu.pdf
    • http://betterwithcontxt.com/uploads/1/3/0/6/130604910/71301c1f0694c82.pdf
    • http://salsmantour.org/uploads/1/3/0/2/130288864/kajupofiwi.pdf
    • http://secretingredientislove.com/uploads/1/3/0/4/130435978/7687519.pdf
    • http://jenniferocook.com/uploads/1/3/0/6/130604429/zefuki-nopudapupegupe.pdf
    • http://pinotimosu.pr19.icu/uploads/2020/01/28/bagosusobotefujavise.pdf
    • http://allthemaththings.weebly.com/uploads/1/3/0/6/130621459/rutijilofaj_nakujimazul_gaxejovunawav_jofipozedogu.pdf
    • http://bartolomeilaw.com/uploads/1/3/0/6/130604141/130604141.html#best+vr+cinema+app+for+android

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001279.bin
7ae1d20ebceaeb9f92546a28d48b2b98d1f6073825f55e8e886bd864becd722a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1279 9376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.