Malicious PDF — malware analysis report

Static analysis result for SHA-256 13833aefb648ace0…

MALICIOUS

PDF

43.0 KB Authoring application: Nitro PDF
MD5: fe22db05c7f8a3bc8ba91483d6f54a90 SHA-1: 8a10a1f9abc7008e5540a19d5e66ad89da173378 SHA-256: 13833aefb648ace0a22eea62ab39c9829e06ba3d9925658c5d964faffd899cb8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The primary attack pattern involves redirecting users to a vast array of external PDF files, likely for SEO spam or to host further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://potolok-oreburg.ru/uploads/2020/01/28/ripiluseb_teligak_zexobebud.pdf
    • http://metuchendentistry.com/uploads/1/3/0/6/130639725/lomib.pdf
    • http://bowaxe.ddnshit.com/uploads/2020/01/27/katexuzolezema.pdf
    • http://ahacia.com/uploads/1/3/0/6/130639636/6746113.pdf
    • http://kasasop.technologysolutionsandsupport.com/uploads/2020/01/27/f800a47ee03da1b.pdf
    • http://activeaidpartnerships.org/uploads/1/3/0/6/130620612/wimenukogafos.pdf
    • https://kazadekiregolis.weebly.com/uploads/1/3/0/5/130544352/kuwoxevemof-donuw-laxukizogolo-zifedejo.pdf
    • http://mylittletruffles.com/uploads/1/3/0/6/130605080/1602585.pdf
    • http://3rdgearwaseca.org/uploads/1/3/0/6/130620677/9015641.pdf
    • http://wosowej.giktarin.ru/uploads/2020/01/29/tuwonas.pdf
    • http://mekaded.djfoster.ru/uploads/2020/01/29/vobovipiselijifinix.pdf
    • http://kowiditane.sladenec.ru/uploads/2020/01/28/juwadopikiz.pdf
    • http://que-pour-elle.com/uploads/2020/01/27/1941889.pdf
    • http://photolenka.com/uploads/1/3/0/6/130639062/1250515.pdf
    • http://fip.game-server-and-client-configuration-in-sync.ru/uploads/2020/01/27/1227557.pdf
    • http://artichokesociety.org/uploads/1/3/0/5/130588380/6829954.pdf
    • http://sophiesrabbitry.com/uploads/1/3/0/5/130589108/wigofimibavu.pdf
    • http://dreamstaff.icu/uploads/2020/01/27/nupibeno.pdf
    • http://shardexplorers.com/uploads/1/3/0/6/130639884/130639884.html#referat+blighted+ovum+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001544.bin
560b0a2ff410ed87ca51e1852ad3435aedff3581d924ccaea30e819aa0a86d6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1544 8820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.