Malicious PDF — malware analysis report

Static analysis result for SHA-256 5071ff456f0625e7…

MALICIOUS

PDF

65.8 KB Authoring application: Mobipocket Creator
MD5: d37f9685e1cf2b3684544ae963d3b87d SHA-1: 3e777dfed31cc36a8e2c8b4da27f52acde25c4e8 SHA-256: 5071ff456f0625e7301bc27e846dea0ba5929c7f3c296e0158484b9352a4de8d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection for Pdf.Phishing.TtraffRobotInstall. The presence of numerous embedded URLs pointing to external PDF files suggests a link farm or redirection strategy. The document body contains what appears to be obfuscated or corrupted text, but also includes several of the same URLs, reinforcing the link farm hypothesis. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9941

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://newsmint.net/uploads/1/3/0/4/130492771/wunusuk-gixefaneg-metekegav.pdf
    • http://vestmoglobal.com/uploads/1/3/0/5/130539840/nazusujopuze-jeperovubuweru.pdf
    • http://ohno.life/uploads/1/3/0/7/130739933/fukifone-netazi-wagirig-rokubotogiruxan.pdf
    • http://mystudio500-woodfiredpottery.com/uploads/1/3/0/5/130547689/pesefevubufotazurodu.pdf
    • http://bsa-sccc-pack301.com/uploads/1/3/0/3/130313123/130313123.html#anjali+raghav+new+song+2019

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010d7.bin
b35f76bb2cc7d5603ccd1da604c955f840b6ad4ee730b72259198d8401850051		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D7 8556 bytes
font_01_sfnt_off000091a8.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91A8 1388 bytes
font_02_sfnt_off000098ac.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98AC 16036 bytes
font_03_sfnt_off0000aebb.bin
08c2f9511a9e699f994d5cb98e5cd3cb69238bc6e4e29fa1526e8fcd0601e3da		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAEBB 13048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.