Malicious PDF — malware analysis report

Static analysis result for SHA-256 28c956e5d3ba364c…

MALICIOUS

PDF

42.1 KB Authoring application: pdf-parser
MD5: 248962dbebf671392739a7c90c3b3869 SHA-1: 6426bcf881877e6bf47453495dd4447b3363e6a7 SHA-256: 28c956e5d3ba364c187af3957714d4730e9ab89996d92bb82d22d908200809cf
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' and the ML classifier output strongly indicate malicious intent. The embedded URLs are the primary indicators of compromise, likely serving as landing pages or download sources for further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://daleru.lanticadimansotti.com/uploads/2020/01/28/b6e664f6be4.pdf
    • http://nathanfreel.com/uploads/1/3/0/3/130312974/9f91765c2013e.pdf
    • http://plumislandweavingco.com/uploads/1/3/0/6/130622083/tulavipozov-tobiper-xedifizinuzom.pdf
    • http://rikrecruitment.com/uploads/1/3/0/2/130287257/sofofamisa.pdf
    • http://parentsshopusa.com/uploads/1/3/0/5/130543568/belesivatigad.pdf
    • http://ulessor.com/uploads/1/3/0/6/130604666/xagugogetenif-tivemeruxe.pdf
    • http://spinningred.com/uploads/1/3/0/6/130620198/siduriri.pdf
    • http://wkapparel.com/uploads/1/3/0/2/130274169/4710723.pdf
    • http://allamericanoverheaddoors.com/uploads/1/3/0/6/130620574/gerepolik.pdf
    • http://merakicuts.com/uploads/1/3/0/3/130323185/wubokisivozalew_jidusinibugur.pdf
    • http://fightyourfriends.us/uploads/1/3/0/6/130605471/7143907.pdf
    • http://oakclass.com/uploads/1/3/0/6/130621502/130621502.html#samantha+lynn+foster+instagram

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a3.bin
52b779a8c9c618f1809ef3be864e8b719d8bcb6247c35ebac6a9d1dc8cc36c86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A3 5980 bytes
font_01_sfnt_off000039a0.bin
d1616011ee0cc5a49a5b188b8aa3fee723f4a914ffc0cf3f009dcf21c9aadbef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39A0 18396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.