Malicious PDF — malware analysis report

Static analysis result for SHA-256 163041654f73ffe9…

MALICIOUS

PDF

59.2 KB Authoring application: Mobipocket Creator
MD5: 84f5266588f5782cc38914a4e98a0629 SHA-1: f09f332d02b4a172c73e696814a91af13dd7ebbf SHA-256: 163041654f73ffe93ab0b43b33d2d025ad3b489ef66aeffe77039fd6aac10c95
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm designed to redirect users to potentially malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution via these links. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tangofilmsla.com/uploads/1/3/0/6/130639205/3b6460.pdf
    • http://academicislam.com/uploads/1/3/0/8/130873916/2869655.pdf
    • http://jordandecesare.com/uploads/1/3/0/2/130291527/2183620.pdf
    • http://captraining12.com/uploads/1/3/0/7/130774999/1230827.pdf
    • http://sekolahberpikirindonesia.com/uploads/1/3/0/3/130323585/40451.pdf
    • http://littledreamers.net/uploads/1/3/0/6/130640198/5187013.pdf
    • http://www.bloo-bamboo.com/uploads/1/3/0/5/130588216/wujagewodefogu.pdf
    • http://test.emmais.ca/uploads/1/3/0/4/130476493/d9562943756a6.pdf
    • http://mezzosoprano.site/uploads/1/3/0/4/130476940/1679461.pdf
    • http://hipsterleaks.com/uploads/1/3/0/2/130291591/gifefivugaxuz.pdf
    • http://www.devinirishgolf.com/uploads/1/3/0/6/130604287/ragadu.pdf
    • http://jhduo.com/uploads/1/3/0/8/130813835/13d0e56e617.pdf
    • http://o2ki0.bpmtc.com/uploads/1/3/0/5/130588878/130588878.html#streptomyces+avermitilis+nrrl+8165
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c24.bin
79d0a60945554d15af9b7375f7bc6cf02fd6af5b0e75f9033762efc89919513e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C24 3512 bytes
font_01_sfnt_off000077a2.bin
7bee93be88e6f9a3b9f0408d8faa9ac2b7c4a1554334007374f6eed6e7e96787		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77A2 16184 bytes
font_02_sfnt_off00008fd7.bin
7cdd69edbfc77b0da68193ee543981f4b57bf09da5b6b3d3e4dd8c2ae2044fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FD7 8668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.