Malicious PDF — malware analysis report

Static analysis result for SHA-256 397c04cbe50c6425…

MALICIOUS

PDF

36.8 KB Authoring application: PDFBox
MD5: d60a2dc31ec33fa0ce06acd2d01403e7 SHA-1: 455e1e9fca95ca46cff8c168e874e17f3486f540 SHA-256: 397c04cbe50c6425b89380ec92f7b19011afe32a4a6cc28481e95e8743583caf
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF was flagged by multiple heuristics, including a critical finding for a link farm and ClamAV detection as Pdf.Phishing.TtraffRobotInstall. The presence of numerous external URLs, many pointing to suspicious domains, strongly suggests a phishing or malware distribution attempt. The document body contains obfuscated text and embedded URLs, further supporting this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xawop.majesticpin.site/uploads/2020/01/27/bulisiboxiba.pdf
    • http://riki.visittatarstan.ru/uploads/2020/01/28/tipur.pdf
    • https://getofujotajaw.weebly.com/uploads/1/3/0/2/130289732/849e4ea398fa97.pdf
    • https://newiseva.weebly.com/uploads/1/3/0/5/130590413/xoruzovijowixezose.pdf
    • https://vukerikokuw.weebly.com/uploads/1/3/0/5/130551534/9260880.pdf
    • http://girisasipe.sayt-nedorogo.ru/uploads/2020/01/27/1c8bbead.pdf
    • https://jivawodumifus.weebly.com/uploads/1/3/0/5/130550693/5548252.pdf
    • https://rofigigesa.weebly.com/uploads/1/3/0/3/130323630/b3843.pdf
    • https://datusuparof.weebly.com/uploads/1/3/0/3/130313436/5244905.pdf
    • http://krasota12.ru/uploads/2020/01/28/9091102.pdf
    • https://rafilaluxonijew.weebly.com/uploads/1/3/0/4/130476150/130476150.html#mvc+jsonresult+return+array

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012a0.bin
292f811e8a8b0507ef86513902aab490dab738a41025f6b1b6d307c4eea24970		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A0 9384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.