Malicious PDF — malware analysis report

Static analysis result for SHA-256 174b7c2eef2783f9…

MALICIOUS

PDF

52.7 KB Authoring application: PDFedit
MD5: d9224f4892e97f03e970401ddb3bb265 SHA-1: 28c9a338ba5ad27897142800098e5bbffea2630c SHA-256: 174b7c2eef2783f94671d60addff10c996267c724254801a5638e53cc3bc9dd3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a mass external link farm with 30 links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this file as malicious, with ClamAV specifically identifying it as Pdf.Phishing.TtraffRobotInstall. The embedded URLs likely lead to malicious content or phishing pages, and the document body is heavily obfuscated and contains irrelevant text.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://noblebase.com/uploads/1/3/0/9/130969080/fumizepululaluk_zobedojaxowi_tovuwudazevaj_joravir.pdf
    • http://sweetliving.net/uploads/1/3/0/2/130273740/besana_siwob.pdf
    • http://mta-sts.wrapitexpress.com/uploads/1/3/0/5/130589413/6db4b94a95c2b2.pdf
    • http://www.weloveamywinehouse.com/uploads/1/3/0/2/130273980/fepifibutuki-zekofuwuz-bezunemi.pdf
    • http://ifossicker.com/uploads/1/3/0/3/130324158/zewak.pdf
    • http://lessononetwothree.com/uploads/1/3/0/6/130604694/9028417.pdf
    • http://allbummedout.com/uploads/1/3/0/8/130814594/4792042.pdf
    • http://nywfj.org/uploads/1/3/0/7/130776749/tulegexokini.pdf
    • http://menfixed.com/uploads/1/3/0/2/130270977/marolafivazewiwipap.pdf
    • http://cadenceresource.com/uploads/1/3/0/5/130588425/vutobiwivegaza.pdf
    • http://hostmaster.pashminaforme.co.uk/uploads/1/3/0/5/130588345/jajibe-gokore.pdf
    • http://www.eattrainwin.co.uk/uploads/1/3/0/5/130543979/1825376.pdf
    • http://fromthelionsdeleos.com/uploads/1/3/0/2/130272548/3a4454.pdf
    • http://novembereleven.net/uploads/1/3/0/7/130775510/3072476.pdf
    • http://creekviewanglers.com/uploads/1/3/0/6/130621197/4456001.pdf
    • http://cutrightlawncare.net/uploads/1/3/0/4/130476045/130476045.html#pathogenicity+of+staphylococcus+cohnii
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d06.bin
b3affdfdfee497c2d3230853582529cf395d265bfdbb8cde7d84ae9c33602211		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D06 16036 bytes
font_01_sfnt_off00006138.bin
8cd2963997ece07bf726de0c63ae845e4f11b2803599ef4df478321b383d1f65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6138 2944 bytes
font_02_sfnt_off00006ecd.bin
84055525f397bf6d356862ecdb1c388ad1d44e2bc231c6c5f0f2beab7697bd27		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6ECD 10572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.