Malicious PDF — malware analysis report

Static analysis result for SHA-256 162fa10904feaed5…

MALICIOUS

PDF

44.4 KB Authoring application: Mobipocket Creator
MD5: ed3ce770bb1a61356968e1ab6d11ff29 SHA-1: b574347520bb84bbe5aebee4e86beab83dd92ee4 SHA-256: 162fa10904feaed5cd1b179f2a3a59dc0b51f139ebf83d6ef37448996c46c6ed
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links to other PDF files, masquerading as a vocabulary resource. This technique, identified as a PDF link farm, is designed to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution via the linked PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mrkellysupholstery.com/uploads/1/3/0/6/130604730/77b37c9bc6f1729.pdf
    • http://mysecretlagoon.com/uploads/1/3/0/3/130324420/6806291.pdf
    • http://purrfectpurr.com/uploads/1/3/0/4/130488451/diwamivuvomo.pdf
    • http://lectricwind.com/uploads/1/3/0/5/130544754/8796471.pdf
    • http://arkansaspropertymaintenance.com/uploads/1/3/0/4/130483578/vifop-poliwo-nozasaniwi-xuzolupu.pdf
    • http://macrovisionhospitality.com/uploads/1/3/0/2/130289397/f649914c71daf08.pdf
    • http://misssoutheastpageantry.us/uploads/1/3/0/4/130476766/130476766.html#daily+use+vocabulary+english+to+gujarati+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000112b.bin
d847ec37837c87110cfade8e7d7bcdd0eb2bb182faf4165c1e9030cf339b1557		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112B 7760 bytes
font_01_sfnt_off000058ab.bin
f8b61715548522b231cc614fae17724661adc330e76f4f8b9331fcc6fd611692		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58AB 9880 bytes
font_02_sfnt_off00007298.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7298 2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.