Malicious PDF — malware analysis report

Static analysis result for SHA-256 4948e1af0e0f7fc4…

MALICIOUS

PDF

61.9 KB Authoring application: Adobe PDF Library 9.0
MD5: a0bf94e95a72d5ba8731c9a655d712d1 SHA-1: 64f0ea269bf130681000bee0b15ab729dc3331d9 SHA-256: 4948e1af0e0f7fc488faa7d466b2d9d782ee617d46e4d5503b80554fd24499a0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or redirection campaign, aiming to lead users to malicious content hosted on various domains. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports the malicious intent. No scripts were extracted from this sample, and the document body is heavily obfuscated, but the link farm is a clear indicator of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mmeconnect.com/uploads/1/3/0/6/130621775/3838551.pdf
    • http://fishbowllabs.com/uploads/1/3/0/7/130775800/23e52990aba00.pdf
    • http://aimonpurpose.com/uploads/1/3/0/5/130543239/vukebepog.pdf
    • http://three54.com/uploads/1/3/0/5/130589334/bilutaganunipup.pdf
    • http://abingdoncc.org/uploads/1/3/0/2/130274256/21821eed32d47.pdf
    • http://thesustainables.biz/uploads/1/3/0/6/130604498/1de2799f784.pdf
    • http://desireedelaloye.com/uploads/1/3/0/3/130323642/supukeruve.pdf
    • http://www.gwe-design.com/uploads/1/3/0/4/130436389/vebaviwev_wafezeza_tugegikatomefo_vadiden.pdf
    • http://playbyplaytiw.com/uploads/1/3/0/7/130738684/3425628.pdf
    • http://sjnbasketball.org/uploads/1/3/0/6/130639590/riwubet.pdf
    • http://sensoryfriends.org/uploads/1/3/0/5/130543386/54dfb2cd4.pdf
    • http://sarahvermette.ca/uploads/1/3/0/7/130775347/4919220.pdf
    • http://sainttheresacatholicchurch.com/uploads/1/3/0/4/130483737/07e6baabb65.pdf
    • http://mendocinorose.com/uploads/1/3/0/4/130435597/jixomuf.pdf
    • http://www.kingchain.info/uploads/1/3/0/6/130603935/vijaredopixovomamuv.pdf
    • http://mail.tielbuerger.ch/uploads/1/3/0/8/130874266/4369057.pdf
    • http://www.peacefulpanda.net/uploads/1/3/0/7/130775189/17b826.pdf
    • http://capturingtheride.com/uploads/1/3/0/5/130590698/763948.pdf
    • http://adammatheny.com/uploads/1/3/0/6/130639177/97464f9923.pdf
    • http://cpanel.joinzombieclub.com/uploads/1/3/0/5/130551554/zawebexid.pdf
    • http://mitgliederbereich.bauberater-kdr.de/uploads/1/3/0/4/130475997/9e9ec.pdf
    • http://a1hypnotherapy.org/uploads/1/3/0/2/130289638/sugudepuveju_jatikalotuwazef_wajedibinufemux_gixija.pdf
    • http://relaxzen-artlessons.com/uploads/1/3/0/3/130313314/7849296.pdf
    • http://www.docksideengraving.com/uploads/1/3/0/6/130604744/cc415873d6d3.pdf
    • http://hostmaster.freelandrestoration.com/uploads/1/3/0/4/130494871/130494871.html#acls+algorithms+made+simple

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017a5.bin
b476cc36633c112267bd3e5764bbad4c50c553f0a47e9f6c1dffa683c9ac52b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17A5 8644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.