Malicious PDF — malware analysis report

Static analysis result for SHA-256 34f36f951df4731d…

MALICIOUS

PDF

97.7 KB Authoring application: QPDF
MD5: eb4fdbce1e930c7f677e458bcdc14ff1 SHA-1: b408a3309d44d89ae571a3afded1f5a5e82f9e93 SHA-256: 34f36f951df4731d1aac1162bdcd196c217856a65c97101e1bcd0fa273e4816b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The embedded URLs suggest a link farm designed to redirect users to potentially malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9579

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mishareads.com/uploads/1/3/0/6/130621800/d52c049f42afdf0.pdf
    • http://scribejar.com/uploads/1/3/0/6/130603688/vebutadaxukulim_jugaduxejesup_dezipibafireg_xokewuxofeduvo.pdf
    • http://modernhomebuyers.us/uploads/1/3/0/6/130621304/2888667.pdf
    • http://necdm.org/uploads/1/3/0/5/130540097/381cefd1e0.pdf
    • http://kresadmissions.com/uploads/1/3/0/6/130621673/vavutajakaridevev.pdf
    • http://puriri-wiltshire.co.nz/uploads/1/3/0/4/130477839/c341bd86193743.pdf
    • http://jacobsa.net/uploads/1/3/0/6/130605084/vozafi-muroge.pdf
    • http://baysideoakland.com/uploads/1/3/0/6/130604844/9f584cd85568.pdf
    • http://nj-photo.dk/uploads/1/3/0/5/130590663/796018.pdf
    • http://meshayla.com/uploads/1/3/0/2/130271158/130271158.html#ahir+whatsapp+status+video

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001282.bin
61f9edfcc22a2c9718f4161e73c72356a953518d311203ebf3bee582230dd038		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1282 9440 bytes
font_01_sfnt_off0000b2e7.bin
6026f6e01993c5458774b3bde33eed3abb648b4f31759a74551c0ca6c237007a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB2E7 9292 bytes
font_02_sfnt_off0000c7a2.bin
737bbcd7e970b4f60ec4a643c09c2b5562cd1b3e4fef31de26dd7df635ea3fdd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC7A2 19008 bytes
font_03_sfnt_off0000f62b.bin
cceca1ce86c59de3a37e46c6648157c37054ddc0b6ce18768579954df2feaf06		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF62B 3048 bytes
font_04_sfnt_off000100c1.bin
a1fbf31f202547fd9a21d66826ebc0c29c499cd4454381c9afac64c512f1dd2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x100C1 17884 bytes
font_05_sfnt_off00011aa4.bin
91cf9cd4efac8f69dcdf587659185da8236567bce3e9e4f6a5ecd944f50fae4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11AA4 1428 bytes
font_06_sfnt_off00012505.bin
ff557900394ac8b982c2866e37e7a82c47dde65e24820698d9d4b18e4d85c3bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12505 17116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.