Malicious PDF — malware analysis report

Static analysis result for SHA-256 3596b5f6ac4d84d0…

MALICIOUS

PDF

38.7 KB Authoring application: Adobe PDF Library 9.0
MD5: ee5b191a8c3e151c72dec1fdafbf6641 SHA-1: e8115d8ac80e2d051da133bde90293f80b28e714 SHA-256: 3596b5f6ac4d84d00d76e5466dde4f3d8ac5d6dad6035e439c4f9832a3a58e73
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files hosted on various domains, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or traffic redirection purpose. The ML classifier also strongly flagged this as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://catchmeabroad.com/uploads/1/3/0/5/130590126/9119429.pdf
    • http://budgettravel101.com/uploads/1/3/0/7/130776460/3145106.pdf
    • http://webmail.usasurvival.org/uploads/1/3/0/4/130483198/tasajoguwejewi.pdf
    • http://www.corybuffaloe.com/uploads/1/3/0/7/130776445/vokexukoposemo.pdf
    • http://mike4congress.com/uploads/1/3/0/5/130590653/a9b3be.pdf
    • http://civotusgroup.com/uploads/1/3/0/6/130621607/b9fbc2f.pdf
    • http://www.untanglingthepast.com/uploads/1/3/0/8/130874314/78e0eaa5.pdf
    • http://ajointvisionllc.com/uploads/1/3/0/3/130323196/setewoweveraxi.pdf
    • http://weeditall.com/uploads/1/3/0/4/130476976/5124841.pdf
    • http://bethcyrusmusic.com/uploads/1/3/0/4/130483847/61c2b7dd93f02bf.pdf
    • http://samkhamis.com/uploads/1/3/0/7/130739240/dawerid.pdf
    • http://adogsworld.be/uploads/1/3/0/3/130323967/xotemo-sevafamuwetugup.pdf
    • http://www.anantajyot.com/uploads/1/3/0/6/130620826/rejagigasanizuzodogi.pdf
    • http://icrm2019.org/uploads/1/3/0/4/130436441/f08c01d073c9723.pdf
    • http://cww60.bpmtc.com/uploads/1/3/0/2/130289721/130289721.html#overall+heat+transfer+coefficient+equations
    • http://ajointvisionllc.com/uploads/1/3/0/3/130323

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e2a.bin
e55827df3661c2683537835c524d3a3219148eb2cb7868c9158d8027600b7553		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E2A 3596 bytes
font_01_sfnt_off00003cfb.bin
553b47eb95a6912df30f71fe4dac290368c82cb10d2ee817a891d8ddac003c5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CFB 8080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.