Malicious PDF — malware analysis report

Static analysis result for SHA-256 46bbbd9187acfe04…

MALICIOUS

PDF

36.9 KB Authoring application: Mobipocket Creator
MD5: 079772ecda6af7cb5ad47ce1d4a7a751 SHA-1: 5e44e5e1f9d47f691aa38e6409c32c09a5723e84 SHA-256: 46bbbd9187acfe0489a8f2b2a9cabd1d3e054012c2716b9a74b96aa14ff681b4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, which is a common technique for phishing and malware distribution. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports its malicious nature. The document body, though heavily obfuscated, mentions a survey on patient safety culture, likely a lure to encourage users to click the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://myamigo.net/uploads/1/3/0/4/130476359/kokeju.pdf
    • http://nineviewer.com/uploads/1/3/0/4/130483279/4899969.pdf
    • http://shirazvisinko.com/uploads/1/3/0/6/130604803/laluzu.pdf
    • http://cpanel.kingofpopz.com/uploads/1/3/0/2/130274345/gababetova_polipitizuri_xezuzozulona_suboruxuzobalaj.pdf
    • http://mybest30minutes.com/uploads/1/3/0/8/130873794/4077f68c44.pdf
    • http://petstylz.com/uploads/1/3/0/8/130873990/kototagat.pdf
    • http://technologypassport.com/uploads/1/3/0/6/130621024/famowijaritepew.pdf
    • http://theevenbetterlife.com/uploads/1/3/0/4/130483426/gegogiborisiman.pdf
    • http://tilevum.store/uploads/1/3/0/6/130639734/bomuje.pdf
    • http://drondome.com/uploads/1/3/0/6/130620760/e1c76f008b3560.pdf
    • http://drawerganizers.com/uploads/1/3/0/6/130604741/pamawipitu_nubaparulikelu_pikogezafewe_zogileso.pdf
    • http://thrivetobehealthy.com/uploads/1/3/0/6/130639628/8487174.pdf
    • http://normanreznicowod.com/uploads/1/3/0/7/130740323/d7d07f83d1c19.pdf
    • http://jonforsh.com/uploads/1/3/0/7/130738978/3552899.pdf
    • http://bluefinmiddletonma.com/uploads/1/3/0/5/130547812/genikisomigolagotep.pdf
    • http://ncslibrary.org/uploads/1/3/0/3/130379075/d134b8495e984ba.pdf
    • http://melas.store/uploads/1/3/0/4/130476912/d511770.pdf
    • http://mytinyhome.net/uploads/1/3/0/6/130639767/98cac6bdad.pdf
    • http://qhpta.shop/uploads/1/3/0/6/130621487/lukivibibovum_zodajigege.pdf
    • http://coachellascreenprinting.com/uploads/1/3/0/6/130640208/xadux.pdf
    • http://didlogic.org/uploads/1/3/0/3/130313786/9692880.pdf
    • http://kbtezkh.brdge.org/uploads/1/3/0/7/130776878/130776878.html#hospital+survey+on+patient+safety+culture+espa%C3%B1ol

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002dfa.bin
eccaa8eef03184da1258a4b8de7100c1fc1c90ceaff249fd23ac8ab44e14697f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DFA 8464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.