Malicious PDF — malware analysis report

Static analysis result for SHA-256 179aeae39bce81d2…

MALICIOUS

PDF

43.8 KB Authoring application: Poppler-utils
MD5: fde7cff789895c0645b0a478116a8482 SHA-1: 00f5e87657a429254b235df9e49b92237060ff59 SHA-256: 179aeae39bce81d245b6c6f9dd9f905098af2b83722161e74d04db29a7029d0e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files across various domains, a technique often used for SEO spam or to distribute further malicious content. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or traffic redirection scheme. No scripts were extracted, but the sheer volume of external links suggests a coordinated effort to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jennnorthey.com/uploads/1/3/0/4/130477882/kisememopop.pdf
    • http://tokyotaco.com/uploads/1/3/0/6/130620650/setogexuduloxon_gomexup_bevojafusitizus.pdf
    • http://remarkablecanine.com/uploads/1/3/0/5/130541402/2044580.pdf
    • http://slushproductions.com/uploads/1/3/0/2/130271187/jowasi-tiriregilev.pdf
    • http://littlebittyscafe.com/uploads/1/3/0/7/130776555/528e3c0a87689.pdf
    • http://altercredo.com/uploads/1/3/0/6/130622076/6823146.pdf
    • http://filmmonk.org/uploads/1/3/0/4/130435943/0106288506f2d6d.pdf
    • http://cafefresco48.com/uploads/1/3/0/5/130590026/sijusi.pdf
    • http://foundryrents.com/uploads/1/3/0/7/130739602/22bd3f97bee1c0.pdf
    • http://www.lockheartproject.com/uploads/1/3/0/2/130289796/556032.pdf
    • http://estoniandesign.ee/uploads/1/3/0/7/130776476/1318018.pdf
    • http://mail.bridgeportpta.org/uploads/1/3/0/2/130287505/dadizudutoxajot-pumeturas-vapufewoga-vopasop.pdf
    • http://mta-sts.mx.mindseyevintage.com/uploads/1/3/0/7/130775092/1139318.pdf
    • http://bakoniagroup.com/uploads/1/3/0/6/130620268/gotemibibes-zoginadi-zofepasuder-gumoforibubo.pdf
    • http://officespace1999.com/uploads/1/3/0/6/130620788/4a347533e1696.pdf
    • http://27000grainsdecafe.ca/uploads/1/3/0/5/130538842/454792.pdf
    • http://www.actamsea.org/uploads/1/3/0/8/130873876/5371268.pdf
    • http://ingenious.today/uploads/1/3/0/6/130640126/6a4147dbc586d0.pdf
    • http://bristleconestrategies.com/uploads/1/3/0/6/130621798/guliridul_feliruk_rifotigowise.pdf
    • http://blueraspberryscarves.com/uploads/1/3/0/6/130639443/faf04988.pdf
    • http://www.matthew-zimmer.com/uploads/1/3/0/9/130969424/130969424.html#how+to+convert+chinese+pdf+file+to+english
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003235.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3235 16204 bytes
font_01_sfnt_off00004a55.bin
48bf7f5696fb18beb2b67f74852d9249a3714426a4cdecce221b69083e8925a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A55 8372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.