Malicious PDF — malware analysis report

Static analysis result for SHA-256 34bc1cc3c4904e10…

MALICIOUS

PDF

59.5 KB Authoring application: Nitro PDF
MD5: f814c30e19817e002870917cea66f175 SHA-1: eea05bc493958e4d3f87fa50f725801bf39acaf5 SHA-256: 34bc1cc3c4904e10eaae89a70604e39c970c78b94436ef3868cd5d2c7f6d88f4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to redirect users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely phishing or malware distribution. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thesevenpotters.com/uploads/1/3/0/5/130544746/xufosapujoda.pdf
    • http://amdberlin.com/uploads/1/3/0/3/130379146/2383323.pdf
    • http://ooredooalgeria.net/uploads/1/3/0/5/130540266/nuzodigifefowojovet.pdf
    • http://syneride.com/uploads/1/3/0/5/130551366/fikij.pdf
    • http://cyber-plus.net/uploads/1/3/0/5/130588762/jexizepafutadudu.pdf
    • http://obccbd.com/uploads/1/3/0/7/130738823/8783866.pdf
    • http://min.mailsens01.online/uploads/2020/01/29/xaruf-gudizexijipisu-rekomewazisoxu.pdf
    • http://mrgospelmusic.com/uploads/1/3/0/4/130489499/f07340603af97d.pdf
    • http://triplex-arrow.com/uploads/1/3/0/7/130739669/bfda1.pdf
    • http://northshorepaintinginc.com/uploads/1/3/0/6/130605452/rosekavo_borupur_xusizo_vulijigodadajus.pdf
    • http://olympicvillagerentalsvancouver.com/uploads/1/3/0/5/130550729/43786578e6d3.pdf
    • http://mesawindshieldrepair.com/uploads/1/3/0/5/130588611/pefuxazivif.pdf
    • http://sharedtravel.voyagerwebsites.com/uploads/1/3/0/6/130639226/130639226.html#ignou+sociology+study+material+in+hindi+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001369.bin
08e51d8346b1aec1d0fa86403278ecea132f64e59f52917abee8dbc545f341c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1369 8276 bytes
font_01_sfnt_off00007753.bin
5ab5c516e95befb52fa0438c140e93b8032b6e32ae9a8e17bb47829c10fb500c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7753 16160 bytes
font_02_sfnt_off00008ec0.bin
e68a44bfc7f3c9e848ceb2654279e3d2d23b5b668456db8d3aaa5d69b163160d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EC0 15876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.