Malicious PDF — malware analysis report

Static analysis result for SHA-256 1524edb86c8238dd…

MALICIOUS

PDF

32.8 KB Authoring application: PDF Studio
MD5: 8d91b97917592d765c948441c0270f14 SHA-1: b36f8ef9502269efdddbed4e45c7c2ff581bd287 SHA-256: 1524edb86c8238dd95194c0b1fe1b1862f6079a3e0a9ae89f5a313a0c068901a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded links to external PDF files hosted on various domains, indicative of a link farm or a distribution mechanism for further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the structure and numerous external links point towards a phishing or content distribution attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://myteamnavigate.com/uploads/1/3/0/4/130483062/sufozuder.pdf
    • http://dairycareaction.org/uploads/1/3/0/5/130545742/3863040.pdf
    • http://adhdsolutionsforlife.com/uploads/1/3/0/7/130775692/vesobena.pdf
    • http://www.robinson.daniellerosephotography.com/uploads/1/3/0/7/130738792/dapokapilepumit.pdf
    • http://wsgwt.com/uploads/1/3/0/6/130621481/5236104.pdf
    • http://pandlexpressinc.com/uploads/1/3/0/5/130551210/pafub.pdf
    • http://philsmainstreetgrille.net/uploads/1/3/0/4/130483836/5a01a8654c88395.pdf
    • http://tdmtrunk.com/uploads/1/3/0/7/130739742/buturidapikexo.pdf
    • http://essentialaffair.com/uploads/1/3/0/5/130588614/404f2ba.pdf
    • http://murielkneesha.com/uploads/1/3/0/7/130775084/gezus.pdf
    • http://barnfreshcycles.com/uploads/1/3/0/2/130289508/2f9b7b961ade.pdf
    • http://difficultdriving.com/uploads/1/3/0/5/130590558/2978518.pdf
    • http://endofthecredits.com/uploads/1/3/0/4/130489536/wifusarep.pdf
    • http://hugh-dichmont.com/uploads/1/3/0/6/130620197/130620197.html#what+is+natural+active+acquired+immunity

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002ac5.bin
795c1db055f8a49eee941e31d8ac42694a95b1e74a76b30e60c78eb569fa1e3e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2AC5 6724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.