Malicious PDF — malware analysis report

Static analysis result for SHA-256 43bdefbe55d780f1…

MALICIOUS

PDF

39.7 KB Authoring application: pstoedit
MD5: 98b94f1bf5f3590b21d4262b7222a322 SHA-1: 31f594049f46133120d4865ae65da9ca3e3c7035 SHA-256: 43bdefbe55d780f1a9530785dfe29f031f112c1bacd207dcc967a57bb29d47ff
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0 and a machine learning classifier with high confidence. The heuristic PDF_SEO_LINK_FARM indicates the presence of a large number of external PDF links, with the first identified URL being http://missfoggscience.com/uploads/1/3/0/5/130590535/ac1a6df6c819e0.pdf. This suggests the document's primary purpose is to act as a link farm, potentially for SEO manipulation or to distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://missfoggscience.com/uploads/1/3/0/5/130590535/ac1a6df6c819e0.pdf
    • http://weme.individuellepc.com/uploads/2020/01/28/3535993b6c0adab.pdf
    • http://napavalleycharters.com/uploads/1/3/0/6/130639181/mowes_kufasiki_vukerun_votugazu.pdf
    • http://carolinaopticalbluffton.com/uploads/1/3/0/5/130550911/rumijamis.pdf
    • http://monthlyphysicalchallenge.com/uploads/1/3/0/6/130621120/tojapowivox-lixodot.pdf
    • http://zotozibof.garagrus.ru/uploads/2020/01/29/jaroxowusodof-vaduguk-mofusozalomegu-bemutikov.pdf
    • https://bituruneve.weebly.com/uploads/1/3/0/6/130604551/weruvun_xazatutes_pelisotunaz_guxig.pdf
    • http://gufir.nhatminhphoto.online/uploads/2020/01/27/pixufitememof.pdf
    • http://gumol.reddragon.xyz/uploads/2020/01/28/e1e2650df.pdf
    • https://zemebifa.weebly.com/uploads/1/3/0/4/130475928/kaxodojijorobadezaj.pdf
    • http://silverrivercoaching.com/uploads/1/3/0/4/130435833/nutezadave_woludopod_mewosuloradapun_favidibiweriraf.pdf
    • http://okrecyclingsolutions.com/uploads/1/3/0/5/130539702/roruvazururop-dowuje-neduvo.pdf
    • http://tessandkayla.com/uploads/1/3/0/6/130605430/dofafava.pdf
    • http://norcalpomskies.com/uploads/1/3/0/5/130588961/fanuravujepolonu.pdf
    • http://interestingholidays.co/uploads/1/3/0/4/130489564/depupojam_ponibeketenapas_fibexijus.pdf
    • http://a1-cleaning-services.com/uploads/1/3/0/6/130621614/1966359.pdf
    • http://movingtosantodomingo.com/uploads/1/3/0/6/130620897/5933633.pdf
    • http://lorisingleton.com/uploads/1/3/0/2/130287989/7f64afe38c4368.pdf
    • http://kenglishllc.com/uploads/1/3/0/4/130490719/3588536.pdf
    • http://littlegreentruck.biz/uploads/1/3/0/5/130590323/d0aef98b4.pdf
    • http://bonusmath.com/uploads/1/3/0/5/130546593/130546593.html#what+breathing+exercises+for+copd
    • http://movingtos

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016a5.bin
c1ccd471a50e42631ce0e9a30321a1d65a6fb2241d255151d16ce947f1e85273		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16A5 7492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.