Malicious PDF — malware analysis report

Static analysis result for SHA-256 245be2ee9f1af7e2…

MALICIOUS

PDF

34.0 KB Authoring application: PDFedit
MD5: 9c7bd0ea6d63560a63af401ba47af065 SHA-1: 853dd5a0c8ce4b683124bf3b7f7569d31d515fb3 SHA-256: 245be2ee9f1af7e29bd4a3e8a68b082bf4e1643853a605b7616a6bb21af46b77
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The embedded URLs are the primary IOCs, suggesting a campaign focused on redirecting users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ilovesmiley.net/uploads/1/3/0/4/130475964/mudamu_lojopefolu.pdf
    • http://spinstersguidetodating.com/uploads/1/3/0/5/130550981/nigizezozufabodizuje.pdf
    • http://ms-gillespie.com/uploads/1/3/0/2/130292098/fovomowamusani.pdf
    • http://villadjio.ru/uploads/2020/01/28/6246115.pdf
    • http://cmjlawn.com/uploads/1/3/0/5/130539241/686873b.pdf
    • http://asimplehouse.weebly.com/uploads/1/3/0/3/130323328/97928ff09034.pdf
    • http://vancouverislandpremiumhardcandy.com/uploads/1/3/0/4/130477663/cadc8fd791e9.pdf
    • http://anthropolygon.com/uploads/1/3/0/6/130620176/tunejewelikiba.pdf
    • http://manhattonbeachplumber.com/uploads/1/3/0/4/130476141/venok.pdf
    • http://edgelandscapeandmaintenance.com/uploads/1/3/0/3/130313006/130313006.html#acupuncture+point+combinations+jeremy+ross+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001209.bin
27518e00795352b559b09c2df758e9df45fad9d556d78e1a3cdc9225b2b02372		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1209 7860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.