Malicious PDF — malware analysis report

Static analysis result for SHA-256 2af9a61d9f31a627…

MALICIOUS

PDF

36.5 KB Authoring application: Soda PDF First seen: 2021-02-23
MD5: 266422fbb0e058c293b6efa1a93c5994 SHA-1: 1eb092fd5ccdc0aef0e9fe4d66186621900353e3 SHA-256: 2af9a61d9f31a62701ba9ad34b81f6968ea015f21b01b763571a141866ab8866
160 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mspoolebiology.com/uploads/1/3/0/3/130379341/802894.pdf In PDF document text
    • http://msjsport.net/uploads/1/3/0/5/130540106/vonesedoda.pdfIn PDF document text
    • http://guillenpujol.net/uploads/1/3/0/2/130289523/40270264a11c2b.pdfIn PDF document text
    • http://vickas.net/uploads/1/3/0/2/130270985/9430272.pdfIn PDF document text
    • http://terrellconsultinggroup.com/uploads/1/3/0/7/130740232/4109846.pdfIn PDF document text
    • http://narragansettgunclub.org/uploads/1/3/0/7/130739628/7696416.pdfIn PDF document text
    • http://simplemedicalanswers.com/uploads/1/3/0/5/130540795/7ee199ec797.pdfIn PDF document text
    • http://rprsnt.co.uk/uploads/1/3/0/6/130620708/5816016.pdfIn PDF document text
    • http://michelledrumheller.com/uploads/1/3/0/4/130489437/zemeb-fitagagimo-rigug-sogokadose.pdfIn PDF document text
    • http://emmareneebradford.com/uploads/1/3/0/6/130639369/146b0b5.pdfIn PDF document text
    • http://thecyberhymnal.net/uploads/1/3/0/7/130739347/3450138.pdfIn PDF document text
    • http://www.birkdaleawards.com/uploads/1/3/0/5/130590661/7708265.pdfIn PDF document text
    • http://lfs-matrix.org/uploads/1/3/0/8/130814526/mesize.pdfIn PDF document text
    • http://sheriffproperties.com/uploads/1/3/0/3/130323155/zavof.pdfIn PDF document text
    • http://farkindaliklayasam.org/uploads/1/3/0/7/130738657/130738657.html#manual+do+audacity+2.2.2+em+portuguesIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003330.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x3330 10028 bytes
SHA-256: bb461214383f509c95424211a51ad1a98c24a80dcd5de6d884889dd535f84893