Malicious PDF — malware analysis report

Static analysis result for SHA-256 4929b2b5d12f794e…

MALICIOUS

PDF

43.9 KB Authoring application: PDFedit
MD5: aa9655740584ebc720c99ba12ade4103 SHA-1: 10bf5398bfdcd703ae109c6daf6de59758485354 SHA-256: 4929b2b5d12f794efcb31ee483b7c3783087c480560895f7f64c6125f66dd581
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs, indicating a link farm strategy. This is strongly suggested by the PDF_SEO_LINK_FARM heuristic firing. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent, likely related to phishing or traffic redirection. No scripts were extracted from this sample, and the document body is heavily obfuscated, making it difficult to determine the exact lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vantagepointchiro.com/uploads/1/3/0/2/130272365/33d699.pdf
    • http://kings-room.com/uploads/1/3/0/7/130775719/4374888.pdf
    • http://abundantlivingpsychologicalandcoachingservices.org/uploads/1/3/0/5/130550948/biweg.pdf
    • http://atlanta-hotel.co.uk/uploads/1/3/0/6/130620991/rabibipo_nivagomirep_dogurirov_tavesaluvo.pdf
    • http://alfredokato.com/uploads/1/3/0/7/130740612/xuvotakin-labagaziri.pdf
    • http://luxehairokc.com/uploads/1/3/0/6/130603975/7367957.pdf
    • http://cabinet-replacement.com/uploads/1/3/0/4/130476322/9110440.pdf
    • http://mobcentric.net/uploads/1/3/0/7/130775002/82ec0c8ee834f2.pdf
    • http://tahoesierracleanair.com/uploads/1/3/0/5/130588622/7528628.pdf
    • http://consultantsbd.com/uploads/1/3/0/6/130639463/rumijes.pdf
    • http://nordicwarriortraining.com/uploads/1/3/0/7/130740477/wavixoridisat_xafamobew_banozi.pdf
    • http://goldenpoppybaby.com/uploads/1/3/0/5/130545087/sokusofusepiniloni.pdf
    • http://gubaogongkaisaizaixiantouzhu.br3h.com/uploads/1/3/0/5/130540063/130540063.html#oxford+elementary+learner%27s+dictionary+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00005063.bin
06bbc61ddd55607921e49878bde9727deb85d9342a22014ad051dbb74329a8d4		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5063 19352 bytes
font_00_sfnt_off0000312f.bin
06d9a87e39e6160d97166facff661c20af4b7614f184bb201b135deb30256bca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x312F 10108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.