Malicious PDF — malware analysis report

Static analysis result for SHA-256 1788dd5c56f0ebf3…

MALICIOUS

PDF

50.9 KB Authoring application: Smallpdf Desktop
MD5: fd3a590545dbd07761fb65e0456f2dd7 SHA-1: 903f37dae5c7403754de86be175c892637639ff5 SHA-256: 1788dd5c56f0ebf3477b392c02baa5fad9a69f208153097fbc029ca5c9db619d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF was flagged by multiple heuristics, including a critical rule for a large external PDF link farm and a ClamAV detection for 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The presence of numerous external links suggests an attempt to manipulate search engine results or distribute additional malicious content. The document body was heavily obfuscated and unreadable.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://barsportpobla.com/uploads/1/3/0/8/130813762/29c9ed.pdf
    • http://monuem.org/uploads/1/3/0/7/130739923/4051811.pdf
    • http://oregonfoodcarts.com/uploads/1/3/0/6/130639309/3362879.pdf
    • http://iamchennai.com/uploads/1/3/0/3/130324416/492365.pdf
    • http://mindstate.store/uploads/1/3/0/6/130639608/bevemisi.pdf
    • http://alcohalloffame.com/uploads/1/3/0/8/130874136/segimevujisapas.pdf
    • http://axissyllabus.net/uploads/1/3/0/8/130813896/0f2d0e90d.pdf
    • http://dishahealth.com/uploads/1/3/0/2/130289510/gufosuduzutuna.pdf
    • http://christiancoelho.com/uploads/1/3/0/4/130435702/dd48925466412.pdf
    • http://xoglamaccess.com/uploads/1/3/0/7/130775366/8482383.pdf
    • http://buddy-burner.com/uploads/1/3/0/6/130605165/0f972c3b560.pdf
    • http://amandlastenberg.com/uploads/1/3/0/7/130740376/27e510.pdf
    • http://gwcustomsbrokers.com/uploads/1/3/0/7/130776183/6736238.pdf
    • http://naturalshandmade.com/uploads/1/3/0/6/130605001/21e526db.pdf
    • http://ahwv.org/uploads/1/3/0/3/130323984/7eacffed.pdf
    • http://kbtezkh.brdge.org/uploads/1/3/0/8/130814785/130814785.html#bd140+pnp+transistor+datasheet
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003311.bin
31d9e78de7fdb0412e4bcff959e07f028379b1c35e115af7e492c8e84592a7e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3311 2820 bytes
font_01_sfnt_off00003cac.bin
e4b0a4284b2f94bcccb5d50e568d44e09b7845e40d6a1d57d180fff66791d635		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CAC 16852 bytes
font_02_sfnt_off000053e9.bin
c4a4965c4f910c2665d39696513353c28e87f0c1b0fa2b9f03ac49030f6ded78		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53E9 5708 bytes
font_03_sfnt_off00006933.bin
e4c55a2daebd9959ad88cd0db3d78d9e05f59df9d0b13bebb8c8b87f957a45d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6933 9576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.