Malicious PDF — malware analysis report

Static analysis result for SHA-256 27f416a18cfcb65a…

MALICIOUS

PDF

36.7 KB Authoring application: pdf-parser
MD5: 9bd4af3188655f3edddc2e6bea1dec2c SHA-1: d678db658763d725ae57efba7621520d6a55fc89 SHA-256: 27f416a18cfcb65a1784b39177827b4e6a6d1d9c08a720fb3d263be7b697b307
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. ClamAV also detected this file as Pdf.Phishing.TtraffRobotInstall-7605656-0, suggesting a phishing or traffic redirection intent. The embedded URLs are likely used to redirect users to malicious sites or to manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://anjaliseries.com/uploads/1/3/0/6/130620456/e463cbc37.pdf
    • http://die-formedsteelbuilding.com/uploads/1/3/0/4/130488243/6cb49f.pdf
    • http://cuestionentrerriana.com/uploads/1/3/0/6/130605229/07409be.pdf
    • http://platinumpoolsandpatios.com/uploads/1/3/0/7/130740212/3387639.pdf
    • http://www.adrianamedinacagan.fuertefitness.com/uploads/1/3/0/7/130739301/cbd27c4e0fbd.pdf
    • http://mta-sts.mail.ideelabs.nl/uploads/1/3/0/9/130969910/9b7f076061d48d5.pdf
    • http://shelterwoodalumni.com/uploads/1/3/0/6/130603989/ronibogiwapab.pdf
    • http://mrsmediation.com/uploads/1/3/0/3/130323968/nujumi.pdf
    • http://www.instantarabic.com/uploads/1/3/0/2/130272266/eb04e.pdf
    • http://joemathewson.net/uploads/1/3/0/4/130435524/kajidulufu.pdf
    • http://ssmeats.com.au/uploads/1/3/0/6/130603747/zitojakupepanefopi.pdf
    • http://handinote.com/uploads/1/3/0/4/130488429/5542163.pdf
    • http://www.percyphotos.com/uploads/1/3/0/4/130475939/9472b6.pdf
    • http://art2artexhibitions.com/uploads/1/3/0/7/130775493/kizikunon.pdf
    • http://shopmerakiapparel.com/uploads/1/3/0/9/130968911/fab8a4922dfcf.pdf
    • http://www.peachjamncaacoachpacket.com/uploads/1/3/0/8/130873877/gilakaf.pdf
    • http://kinesiscollective.com/uploads/1/3/0/5/130539085/gokamekalejuxonima.pdf
    • http://webdisk.nuphasecreative.com/uploads/1/3/0/3/130313524/b59d12a8.pdf
    • http://allthingsandre.com/uploads/1/3/0/7/130776049/730cd0c10e227.pdf
    • http://modelamics.com/uploads/1/3/0/4/130476671/xetojevagugetip.pdf
    • http://aguire-senior-ph-1.rominastiebenphotography.com/uploads/1/3/0/3/130379803/130379803.html#exercise+comparative+and+superlative+b1
    • http://art2artexhibitions.com/uploads/1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003001.bin
d9bb1a73f4e7dc55c90bb19141bab278e7b5ebcb5097a4e6d7a4c7cdf329c647		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3001 7880 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.