Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b084c0a8fc89054…

MALICIOUS

PDF

35.5 KB Authoring application: Serif PagePlus
MD5: c4e7bdf6d2e4c2611d329ead13a3710e SHA-1: fe9522b2448809d8350f5fde85d8107c57735e2a SHA-256: 4b084c0a8fc89054a42f45559496774d7ccc774392a77688c0c31067a9fca5b7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links to other PDF files hosted on various domains, indicative of a link farm or redirection scheme. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier score strongly suggest malicious intent, likely related to phishing or traffic generation. The embedded URLs are the primary IOCs, facilitating the redirection to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ilovestan.info/uploads/1/3/0/8/130814672/1215534.pdf
    • http://dreambiztestdrive.com/uploads/1/3/0/3/130323163/4587387.pdf
    • http://orbitvetmap.net/uploads/1/3/0/4/130435635/guzuxogul-figedezubera-sogufu.pdf
    • http://glassworldindustries.com/uploads/1/3/0/6/130640229/dojomuw_fafep.pdf
    • http://spinzoom.com/uploads/1/3/0/4/130477775/1072800.pdf
    • http://allistertalksbonds.com/uploads/1/3/0/7/130775192/353b3d1bb9b.pdf
    • http://damngoodgolf.com/uploads/1/3/0/7/130739661/ruvujifafekesegatupo.pdf
    • http://efcoform.com/uploads/1/3/0/7/130775510/1958674.pdf
    • http://lianafaith.net/uploads/1/3/0/6/130639766/fuwiminufepixiniw.pdf
    • http://myspazi.com/uploads/1/3/0/9/130968962/pekemutumorakux.pdf
    • http://brazilianlohas.com/uploads/1/3/0/4/130489437/9078159.pdf
    • http://bardosfoundation.bardosdiamondsports.com/uploads/1/3/0/5/130588435/130588435.html#ielts+writing+task+1+test+5

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000346f.bin
87fe7be42fc8b46670d4dd3b73cbf12faa9af5d49720d576806dd97d9a0a89aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x346F 7728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.