Malicious PDF — malware analysis report

Static analysis result for SHA-256 35df15fc29578521…

MALICIOUS

PDF

34.7 KB Authoring application: Nitro PDF
MD5: 04d56c17f1b259a7295a7af263b8f683 SHA-1: 27b0188db82b44235dcf00af22054513d63d59c8 SHA-256: 35df15fc29578521cae8bf04fd3cc9b3e1af4858280ae1ac518d46cc346c3731
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this file as malicious, with ClamAV specifically identifying it as 'Pdf.Phishing.TtraffRobotInstall'. The embedded URLs point to various domains, suggesting a link farm designed to redirect users to potentially malicious content or phishing sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://safespacecounseling.com/uploads/1/3/0/2/130287229/2303060.pdf
    • http://jilopo.imperia-hold.ru/uploads/2020/01/28/gasafaz.pdf
    • http://professionalcommunication.org/uploads/1/3/0/5/130543671/4278667.pdf
    • https://desawalapu.weebly.com/uploads/1/3/0/4/130435909/ba206746832.pdf
    • https://puzasifipoxirul.weebly.com/uploads/1/3/0/6/130604169/kipuwefinadonovi.pdf
    • http://raisintheblues.com/uploads/1/3/0/5/130543539/sezom.pdf
    • http://theexpertdoc.com/uploads/1/3/0/3/130379105/jepolosuji_lajixo.pdf
    • http://streetbrunch.com/uploads/1/3/0/4/130483912/fb6f1dce95e.pdf
    • http://juna.terraeuropa.net/uploads/2020/01/28/sazawuv-mofikab.pdf
    • http://mhschem.weebly.com/uploads/1/3/0/6/130620791/todenodofos-witafux-kakufonizapuwor.pdf
    • http://kirstinmasonrealproperty.com/uploads/1/3/0/5/130588716/gabinilazikonibil.pdf
    • http://washco-feed.com/uploads/1/3/0/3/130379202/2806974.pdf
    • http://ruwusit.yusufkalayci.com/uploads/2020/01/27/3247702.pdf
    • http://aearthsport.com/uploads/1/3/0/4/130488626/494a5.pdf
    • http://loribede.olsi-tex.ru/uploads/2020/01/27/jetefejupodekun-gujuvetegef.pdf
    • http://micropapillarybreastcancer.org/uploads/1/3/0/6/130639491/vivokudasoroso.pdf
    • https://zuwalamololi.weebly.com/uploads/1/3/0/3/130312976/nifatowi_jepato.pdf
    • http://mkayinthemountains.com/uploads/1/3/0/4/130489080/8077038.pdf
    • http://aleriongames.us/uploads/1/3/0/6/130604031/a2d204.pdf
    • http://siliw.hnhojjat.com/uploads/2020/01/27/1279054.pdf
    • https://ronugefafefezos.weebly.com/uploads/1/3/0/4/130489627/4702799.pdf
    • http://xizibomed.remsokna.ru/uploads/2020/01/28/e6740eebc6b7e.pdf
    • http://xetu.centrprava40.ru/uploads/2020/01/27/5325714.pdf
    • https://mepinegiki.weebly.com/uploads/1/3/0/5/130588261/vavema.pdf
    • http://azonracing.com/uploads/1/3/0/5/130550901/dibofezufena_nefido_gavaw_wasefesin.pdf
    • http://kylaconner.com/uploads/1/3/0/3/130323455/130323455.html#irregular+verbs+in+spanish+present+tense+worksheet

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000173f.bin
7fd01e04ad49df46c723739c7f67de98827185464974cf2f188f3788934c4c4e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x173F 7844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.