Malicious PDF — malware analysis report

Static analysis result for SHA-256 4c5d87cb2e84a98a…

MALICIOUS

PDF

36.8 KB Authoring application: Mobipocket Creator
MD5: a25f188099bd67d18e38c70a18cd7dd9 SHA-1: 4dc38f5dcc7dedcd5dda4139d36769bada502dec SHA-256: 4c5d87cb2e84a98a7019c549045c9e94ccbcef4ed96094262a07c9a6f2ac52ef
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO manipulation campaign. The ML classifier and ClamAV detection further confirm the malicious nature of the file. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dollartank.net/uploads/1/3/0/5/130589048/jilususetanox.pdf
    • http://ingwersenforhouse10.com/uploads/1/3/0/9/130969343/234d3ba594d765b.pdf
    • http://hartshornhustle.com/uploads/1/3/0/7/130738620/45fc0a17e711d57.pdf
    • http://brownwoodnews.org/uploads/1/3/0/5/130588656/xuzogademibegoxav.pdf
    • http://treasureourwildlife.com/uploads/1/3/0/5/130543772/gitobogoj.pdf
    • http://digital-human.org/uploads/1/3/0/2/130270783/wetogaxagomij.pdf
    • http://www.chalkboardplayers.com/uploads/1/3/0/6/130603895/8409251.pdf
    • http://survivingmentalhealth.com/uploads/1/3/0/4/130436365/wotolarage.pdf
    • http://masseyssmallanimalequine.com/uploads/1/3/0/2/130270957/vupevalun.pdf
    • http://ctchomeinspections.net/uploads/1/3/1/0/131070298/pufozifosajur-fumuzumus.pdf
    • http://gwe-design.com/uploads/1/3/0/6/130621901/9125872.pdf
    • http://avabaycompany.com/uploads/1/3/0/2/130288307/130288307.html#structural+vs+functionalism
    • http://masseyssmallanimalequine.com/u

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002df1.bin
81c1e5dfcb2cfb1fd71603381a8b2dc7f99f411593d73806cb50af85c9465cbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DF1 2632 bytes
font_01_sfnt_off00003998.bin
9d8e36f131be4405d86bd3c65e5d8893395b0b0abee40ec99781d78e86aeb4be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3998 7520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.