Malicious PDF — malware analysis report

Static analysis result for SHA-256 3a9cd2cd2b140fa8…

MALICIOUS

PDF

84.2 KB Authoring application: Adobe PDF Library 9.0
MD5: c1bf3508f3983c0c6e54d3dd1cabbc94 SHA-1: 2a63096e8f1b055cc93072508e0e5fc451d498df SHA-256: 3a9cd2cd2b140fa8c7a5254aadc6fbfbe1ddb8033ad355d8e1f8a81b87f6285b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various external PDF files. The ClamAV detection and ML classifier strongly indicate maliciousness. The embedded URLs are likely used to redirect users to malicious content or for SEO poisoning. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://accordingtoiris.com/uploads/1/3/0/5/130551064/3eb73e22420.pdf
    • http://nicolebarry.ca/uploads/1/3/0/5/130588786/waxopozetiva_juzozuzuxe.pdf
    • http://adfs.pactera.co/uploads/1/3/0/8/130874667/vasinenag-fojurowu.pdf
    • http://naturalhand.net/uploads/1/3/0/7/130739169/f246946ae423.pdf
    • http://josephberry.co.uk/uploads/1/3/0/2/130287279/lizukokolusutadide.pdf
    • http://orlandoforeclosurelaw.net/uploads/1/3/0/5/130588499/4784376.pdf
    • http://johndcoates.com/uploads/1/3/0/5/130539612/tajavadafuw.pdf
    • http://clontarfbuildinghistory.com/uploads/1/3/0/6/130639246/gatatalowub.pdf
    • http://napervillespa.net/uploads/1/3/0/6/130621015/tababagaxakekew.pdf
    • http://yasminali.com/uploads/1/3/0/7/130739381/7193113.pdf
    • http://rewindind.com/uploads/1/3/0/4/130489038/4212216.pdf
    • http://midnighttokerstore.com/uploads/1/3/0/2/130289189/wuredigujisip_rasibufodowop.pdf
    • http://artcenterla.com/uploads/1/3/0/7/130775969/e42efba4.pdf
    • http://imaginecandystore.com/uploads/1/3/0/7/130738633/87de0d0c0d92.pdf
    • http://davinciartistsgallery.com/uploads/1/3/0/5/130551418/857a00.pdf
    • http://taiyangchengjiawangbaosha.br3h.com/uploads/1/3/0/4/130488833/130488833.html#namaz+ka+tariqa+in+roman+english

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000ec38.bin
21e5ade42609d6b4155cca808bea968bac086a422787b1fa57e34578c4820c35		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xEC38 22496 bytes
font_00_sfnt_off0000112d.bin
b0c1beae2d9015b08e714925c6cbe2f3d9273785fd926c045b3783c37a5e9687		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112D 8188 bytes
font_01_sfnt_off0000b85b.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB85B 2652 bytes
font_02_sfnt_off0000c3e0.bin
d51f1efab3e926dd9ccee183b1e7575a9e0e2da2c681b82dfb6038053c9dcd0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC3E0 15496 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.