Malicious PDF — malware analysis report

Static analysis result for SHA-256 16ba9f4dff5ab9b3…

MALICIOUS

PDF

35.1 KB Authoring application: PDF Studio
MD5: 1e91eca086fbcdc824a8ea6776839ece SHA-1: 50f5d3bda4efc9366da5603796d893a9a68afe1f SHA-256: 16ba9f4dff5ab9b3dc3fef6bc1960f541841a7e2a9ad22ecf039048db2c4230e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule, indicating a mass of external links. The embedded URLs, such as http://info-phoceens.com/uploads/1/3/0/4/130483122/gazafulowoduvazi.pdf, are likely part of a phishing or redirection scheme. Although no scripts were explicitly extracted, the structure and link farm suggest an attempt to lure users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://info-phoceens.com/uploads/1/3/0/4/130483122/gazafulowoduvazi.pdf
    • http://pvff.org/uploads/1/3/0/6/130639591/bafabotobob-sokaranusujaje-bosolul-muzowo.pdf
    • http://ldhbuyshomes.com/uploads/1/3/0/5/130589998/biwogeburu.pdf
    • http://casadelasuerteylafortuna.com/uploads/1/3/0/5/130588315/68317402608aec5.pdf
    • http://jakpop.net/uploads/1/3/0/5/130550998/riligojakaz_wovogabewililo_nawolovumaf_tiratilo.pdf
    • http://mytayloralexander.com/uploads/1/3/0/5/130551251/sekajarenivo.pdf
    • http://leiko.org/uploads/1/3/0/8/130815097/10b2445227457.pdf
    • http://troop827.info/uploads/1/3/0/3/130379058/gubevotefate_jizojufinis_lenemu.pdf
    • http://darkestsidesilver.com/uploads/1/3/0/3/130324370/mesomafozetozenufeva.pdf
    • http://alaskaandhacheries.com/uploads/1/3/0/6/130621701/8273345.pdf
    • http://suite420marketing.com/uploads/1/3/0/7/130738620/bf7d7.pdf
    • http://atombeauty.com/uploads/1/3/0/3/130313140/ecf78622b.pdf
    • http://chloelgroup.com.au/uploads/1/3/0/5/130588289/2932091.pdf
    • http://modernyogiwisdom.com/uploads/1/3/0/3/130312985/vuxedumivenokeli.pdf
    • http://74-123-77-212.mgwnet.com/uploads/1/3/0/6/130605237/130605237.html#convert+docx+to+pdf+using+docx4j

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d5f.bin
b097d5b17ade151f8c42207f321e2dc9e656eaf11b0e4fca8e335118406a14dd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D5F 8600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.