Malicious PDF — malware analysis report

Static analysis result for SHA-256 2425312f07ffd524…

MALICIOUS

PDF

44.9 KB Authoring application: GIMP
MD5: cf8dda493e8038275e49e1b57c513048 SHA-1: 5b5758e771eb32a4efaf0c8c88db3e52a9b60bcc SHA-256: 2425312f07ffd5242e780049e69d2660d3c669ff9ab93c23b7ad46ea1a9a8e2f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents, a technique often used for SEO poisoning or phishing. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and a machine learning classifier also flagged it with high confidence. The document body is heavily obfuscated and unreadable, but the presence of numerous links to external PDFs strongly suggests a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jepizalobatise.weebly.com/uploads/1/3/0/2/130272394/pagiwetawej.pdf
    • https://xubowijuzadoje.weebly.com/uploads/1/3/0/5/130589115/3745462.pdf
    • https://darataxenut.weebly.com/uploads/1/3/0/5/130589104/9407131.pdf
    • http://jidawosimu.localdatemeet.club/uploads/2020/01/28/3110150.pdf
    • https://tusaguvumibumo.weebly.com/uploads/1/3/0/5/130590336/xiwumumitojoja.pdf
    • http://nancyfleuridor.com/uploads/1/3/0/6/130605159/gosutaziladiguweru.pdf
    • https://mogotefi.weebly.com/uploads/1/3/0/5/130540208/wazujevalimanet.pdf
    • http://nenosubet.freedomflow.ru/uploads/2020/01/28/lidem_dexoduneturof_tinalexadonizad_jufimina.pdf
    • http://nifebijas.forexinaustralia.club/uploads/2020/01/27/3254873.pdf
    • http://brandirmunoz.com/uploads/1/3/0/6/130604562/2372595.pdf
    • http://catcollaborative.com/uploads/1/3/0/6/130604770/pikisalutoxa.pdf
    • http://xitopix.ps-crm.ru/uploads/2020/01/27/ab6364cfbd26.pdf
    • http://thehyggehomeinfo.com/uploads/1/3/0/6/130605173/nexifokizotik.pdf
    • http://juv.maxtonplains.com/uploads/2020/01/28/fobuzafum.pdf
    • http://annotalegal.com/uploads/1/3/0/2/130289344/130289344.html#fractions+adding+worksheets

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011fb.bin
77362368d201bb0997dd8fd87b635b3dd29a21bf6fed6a8630f26412e94be758		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11FB 8028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.