Malicious PDF — malware analysis report

Static analysis result for SHA-256 1891e8730952eb37…

MALICIOUS

PDF

37.0 KB Authoring application: pstoedit
MD5: 00827fd4c61cbddba0c28f937a9f18ef SHA-1: 8378a7e5e5eb32a3645701a89248536680a33666 SHA-256: 1891e8730952eb37dabd43e9fe6b78162afb4c7cbd004f71e01e05e709e1e4e3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, detected as a 'PDF_SEO_LINK_FARM' heuristic. The ML classifier and ClamAV also flagged this file as malicious, with ClamAV identifying it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The embedded URLs likely serve to redirect users to malicious content or facilitate SEO manipulation, which is a common tactic for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://skinweekly.com/uploads/1/3/0/3/130312965/6333982.pdf
    • http://miamitownshiphealthandwellnesscenter.com/uploads/1/3/0/7/130739766/e8cbc0.pdf
    • http://galatians67.com/uploads/1/3/0/3/130313169/sobapu-risanagaxivip-rujok.pdf
    • http://spice-grind.com/uploads/1/3/0/6/130605019/voxilevog.pdf
    • http://realfoodinitiatives.com/uploads/1/3/0/4/130488163/tatixuxonex.pdf
    • http://mrsbrennersbiology.com/uploads/1/3/0/2/130287537/07fa527.pdf
    • http://nj1stcatlounge.com/uploads/1/3/0/2/130271212/3451833.pdf
    • http://prettylittlethings.ca/uploads/1/3/0/2/130273899/nusepa.pdf
    • http://aubreyandkatefreeman.com/uploads/1/3/0/6/130621317/5786894.pdf
    • http://blingblingmobileboutique.com/uploads/1/3/0/4/130483862/kupowow-xivodubari-mabagagerotot-labupawaputa.pdf
    • http://apprework.com/uploads/1/3/0/3/130323341/4cad0119.pdf
    • http://newspinlaser.net/uploads/1/3/0/3/130379251/d6ba8d93.pdf
    • http://www.frontninewine.net/uploads/1/3/0/8/130874655/b32b4c92480d655.pdf
    • http://katletki.com/uploads/1/3/0/5/130544070/5929896.pdf
    • http://bnaiisraelnc.com/uploads/1/3/0/2/130291658/068c5163e.pdf
    • http://landandstars.com/uploads/1/3/0/8/130813557/texipe_vukagulal_pifawadisof_tanagebedimot.pdf
    • http://landuseandwater.net/uploads/1/3/0/2/130291623/mujafinenevidufuzep.pdf
    • http://stellartrading.co/uploads/1/3/0/3/130313305/munejago.pdf
    • http://podollanportal.devsite-1.com/uploads/1/3/0/8/130874543/130874543.html#actinomyces+oris+pathogen

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000333d.bin
bf862d02d03ae5371ca9048810aea42a9285fe2320c06b882e6c00d3ad4bc74f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x333D 7824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.