Malicious PDF — malware analysis report

Static analysis result for SHA-256 18c14ca40252b15d…

MALICIOUS

PDF

53.0 KB Authoring application: ImageMagick
MD5: e6bcf5f5cb1875f172e4d641aaffcd1f SHA-1: 27de6c571df4fc27f4e89055bb1caafcc511bd54 SHA-256: 18c14ca40252b15d4d8ed6839c34c64816804be910d265e03cc98a90549cdc92
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or malicious redirection attempt. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://zagleverage.com/uploads/1/3/0/6/130604558/2d45414.pdf
    • http://thefishingday.com/uploads/1/3/0/3/130323957/8c2ea.pdf
    • http://www.oesme.com/uploads/1/3/0/6/130620924/wuxixopisafinebuzilu.pdf
    • http://martayogahome.com/uploads/1/3/0/4/130477083/wijakililodekaru.pdf
    • http://mouseandcastle.ca/uploads/1/3/0/4/130476661/vutamedelo-robozuz-somukomixarogi.pdf
    • http://ocmedicare.net/uploads/1/3/0/5/130545800/ad2749b7830d6e.pdf
    • http://www.tatryapartments.com/uploads/1/3/0/6/130605237/rikim-tuzeruk-todepulov.pdf
    • http://jeffersonmoorelaw.com/uploads/1/3/0/4/130488831/049835a3.pdf
    • http://nomomani.com/uploads/1/3/0/7/130775573/4ed4efe649d2631.pdf
    • http://christilsed.com/uploads/1/3/0/7/130776349/marexikajas-siwakumumu.pdf
    • http://subordominant.com/uploads/1/3/0/6/130620996/foxut.pdf
    • http://babyak.net/uploads/1/3/0/7/130775723/fopijixasipon-jutifogo.pdf
    • http://myonepynt.com/uploads/1/3/0/6/130621435/925871.pdf
    • http://rethinking.biz/uploads/1/3/0/2/130288378/d54c36808e1.pdf
    • http://thinkhappyvibehappy.com/uploads/1/3/0/2/130288506/5118705.pdf
    • http://emmausseries.org/uploads/1/3/0/7/130739297/saxomusezokoxidixato.pdf
    • http://xezar.nl/uploads/1/3/0/4/130476098/mefimoteg.pdf
    • http://softwarehabits.org/uploads/1/3/0/6/130605041/4675216.pdf
    • http://wcd-ggtd2i7.mgh-r.ch/uploads/1/3/0/5/130589213/130589213.html#type+a+b+c+d+personality+test+printable
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005991.bin
b3affdfdfee497c2d3230853582529cf395d265bfdbb8cde7d84ae9c33602211		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5991 16036 bytes
font_01_sfnt_off000070e4.bin
6324a5245540369d1ad035e1f9fc582c14191008e9049982461f5b6be2732447		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70E4 8600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.