Malicious PDF — malware analysis report

Static analysis result for SHA-256 224d1f90a2be59ba…

MALICIOUS

PDF

48.1 KB Authoring application: pdf-parser
MD5: e4b704876fb21a56f1073fd77f739ad3 SHA-1: 38ae311f45d44846cc1e887a4fdf1091fe4d43dc SHA-256: 224d1f90a2be59baab20126a71a8c33aa5a5332ba1c0251d0f04514c6f98e6ab
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This technique is often used for SEO spam or to redirect users to malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://spaatthecolonnade.net/uploads/1/3/0/6/130640033/bc2dc1d1.pdf
    • http://dunaecrenwelge.com/uploads/1/3/0/3/130323302/56476.pdf
    • http://mikevaproduction.com/uploads/1/3/0/7/130740573/dozudepuwebeza.pdf
    • http://sanjosedelosreynoso.com/uploads/1/3/0/7/130775846/mosigubipalade.pdf
    • http://mobilebillboardssanmateo.com/uploads/1/3/0/5/130541023/1cf1ff560.pdf
    • http://sossanantonio.com/uploads/1/3/0/5/130539599/bapowepis_xekedoluxo_goniwamuxeve_bizurezifotagu.pdf
    • http://mickaelpalma.com/uploads/1/3/0/2/130289731/8598886.pdf
    • http://disabilitymanagmentsolutions.ca/uploads/1/3/0/4/130435553/jobifetajubaw.pdf
    • http://michaeldeaton.com/uploads/1/3/0/7/130739028/zoboxadisomeke_kaverenenu_selijigezidube_kijugijamarorik.pdf
    • http://cecilyeiferle.com/uploads/1/3/0/3/130313440/130313440.html#reading+games+for+esl+learners

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001419.bin
c562d498851a6819211563ac73687ddb56de9157ed183686fa698394972eb4de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1419 8248 bytes
font_01_sfnt_off00006b6a.bin
c7143368894299a997ed09f05024df052d964886bc902d598de4a6791c50751f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B6A 10292 bytes
font_02_sfnt_off0000814b.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x814B 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.