Malicious PDF — malware analysis report

Static analysis result for SHA-256 20b1968442475e27…

MALICIOUS

PDF

40.5 KB Authoring application: pdf-parser
MD5: e31dcafe45d5386122573e7478e18bd9 SHA-1: eeba8e9788f73be07bbb3dfd1c59646889713a1f SHA-256: 20b1968442475e278ef334ebda79c33e4b7daf6b8d1cf48c820f9b98890a17b5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute malware. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or traffic redirection purpose. The ML classifier also strongly flagged this as malicious. No scripts were extracted, but the primary attack pattern involves directing users to a network of suspicious URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artzcollective.net/uploads/1/3/0/3/130323449/wijadoko.pdf
    • http://lukeharper.com/uploads/1/3/0/7/130776363/7cbe3e3d.pdf
    • http://tnplcreations.com/uploads/1/3/0/8/130814020/e37f224b4.pdf
    • http://bonnieweegardens.com/uploads/1/3/0/2/130289161/galepu-bivum.pdf
    • http://morocco.ency-education.com/uploads/1/3/0/7/130740462/linikekeribin.pdf
    • http://macstorebrooklyn.com/uploads/1/3/0/5/130551210/bopiba-ninonapub.pdf
    • http://kurtkfinance.com/uploads/1/3/0/3/130324152/d9b88.pdf
    • http://www.southernrugs.com/uploads/1/3/0/3/130313741/gilos_begajit_tikog_ruzaxadomonunax.pdf
    • http://my-closet-online.com/uploads/1/3/0/2/130271108/bf3714.pdf
    • http://ddetweiler.com/uploads/1/3/0/9/130969656/nudig_wowovegajorule.pdf
    • http://cherylsterlingdesigns.com/uploads/1/3/0/9/130969357/lizuzekib.pdf
    • http://reset.studio/uploads/1/3/0/6/130639300/bemanana_fixesarame_lulotubazevin_sowozim.pdf
    • http://alexmcmichael.com/uploads/1/3/0/6/130640028/130640028.html#dc+motor+speed+control+methods+using+matlab+simulink
    • http://reset.studio/uploads

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000038c3.bin
ab3f35905e85beacd263675b86349ff2bfae2f31e268531550138b91673c1b34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38C3 2868 bytes
font_01_sfnt_off0000457c.bin
ae74e35572bb8923b199eb52787310cbb3913fe7471c1af5b2babb38e8648d06		 pdf-font-stream PDF embedded font (sfnt) at offset 0x457C 8260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.