Malicious PDF — malware analysis report

Static analysis result for SHA-256 2edf95f7b5687dd4…

MALICIOUS

PDF

43.7 KB Authoring application: Poppler-utils
MD5: de9d2ce7c9b1beb7e7eedadd3e7a1af4 SHA-1: a426e3adc9cae60be567f466a5a0fbd5c50cca18 SHA-256: 2edf95f7b5687dd48b7dfda188543cc4d205c743850091c685f94b0fd5f09d40
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a link farm of external PDF files, disguised as a free auto repair manual. The heuristic PDF_SEO_LINK_FARM indicates a mass of external links, and the ML classifier and ClamAV detection confirm its malicious nature. The embedded URLs are likely used to host further malicious content or redirect users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jacobsa.net/uploads/1/3/0/4/130483629/lakapiximi_lerexikamedad_jogalut_dokiwax.pdf
    • http://mosaicvoices.net/uploads/1/3/0/2/130287919/kumikinisepa-nazopazulabex.pdf
    • http://havencaylorbrown.com/uploads/1/3/0/6/130639776/nipajiminijox_kopexidivepu_zuvufod_pipuragasa.pdf
    • http://photoclube.com/uploads/1/3/0/4/130436494/a537c.pdf
    • http://rickyzheng.net/uploads/1/3/0/5/130588864/wagovedenoma-wewedalekuvo-gobesa.pdf
    • http://bartolomeilaw.com/uploads/1/3/0/8/130813819/130813819.html#chilton+auto+repair+manual++free

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000112c.bin
4cc46ed1f1b505679d76488fffd2a1f376c468e989654afca6e2a32348bfcaa1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112C 8488 bytes
font_01_sfnt_off0000641e.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x641E 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.