Malicious PDF — malware analysis report

Static analysis result for SHA-256 488d6b031a0ccb03…

MALICIOUS

PDF

35.9 KB Authoring application: PDF Studio
MD5: 1adcfd8db226067a47013d856857769f SHA-1: e3cfaf2387700876758315fef7f9641727af20b1 SHA-256: 488d6b031a0ccb032bbac37d331c492e3f28f2a9129985f0c74ef2422f4b5951
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files hosted on various domains, indicating a link farm or redirection scheme. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly suggest malicious intent, likely related to phishing or traffic generation. No scripts were extracted, and the document body content is heavily obfuscated and truncated, providing limited insight into the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gyroscorner.nl/uploads/1/3/0/7/130740622/0e6e16fee6735.pdf
    • http://location-valence-espagne.com/uploads/1/3/0/7/130776016/4befd0399.pdf
    • http://abraxasband.net/uploads/1/3/0/8/130814711/da9e0310ff624ed.pdf
    • http://wineindexinvesting.com/uploads/1/3/0/6/130604982/8879132.pdf
    • http://boganesque.com/uploads/1/3/0/7/130738623/8a3047faf8be6.pdf
    • http://workdesic.com/uploads/1/3/0/7/130776647/keguvezuguxat.pdf
    • http://bearcrack808.com/uploads/1/3/0/5/130539084/bojip.pdf
    • http://loureview.com/uploads/1/3/0/4/130489122/tibinakig.pdf
    • http://pixelfence.net/uploads/1/3/0/6/130604529/be367790e.pdf
    • http://haugenmediaogdesign.com/uploads/1/3/0/9/130968920/8753562.pdf
    • http://northwalestimberframes.com/uploads/1/3/0/6/130639593/554af09433e5.pdf
    • http://chinatmz.com/uploads/1/3/0/4/130476351/xodavezepuloraj.pdf
    • http://axlyvrexperience.com/uploads/1/3/0/6/130639212/dularizawebuxunezed.pdf
    • http://jikg.com/uploads/1/3/0/6/130640049/57130.pdf
    • http://austinaction.com/uploads/1/3/0/5/130551534/vixij.pdf
    • http://mta-sts.mx.cottoneart.com/uploads/1/3/0/4/130492229/pafis.pdf
    • http://ga65q.slpny.com/uploads/1/3/0/4/130435594/130435594.html#java+tutorial+pdf+in+tamil
    • http://chinatmz.com/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002ec7.bin
5dd86e7474664eb7b9a9a1c241a92f1174b181024054ec8ca2e5c14df7bdccc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EC7 8676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.