Malicious PDF — malware analysis report

Static analysis result for SHA-256 50ff76f88c214723…

MALICIOUS

PDF

38.9 KB Authoring application: Nitro PDF
MD5: acd542268301ffa8a9258f490d41b0ed SHA-1: ee9d40b34952f0c0eaa44a300b5b63894a8fbf7d SHA-256: 50ff76f88c21472391b62909d4c893d0af90ffe2709bef20b75b87a6714f6e85
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 and the ML classifier output further support a malicious classification. The document body, though partially corrupted, contains references to the URLs, indicating a lure to external content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blackfriday.dng.ie/uploads/1/3/0/6/130639298/5410003.pdf
    • http://truecorners.com/uploads/1/3/0/4/130435870/somulixa.pdf
    • http://mobilenotaryinca.com/uploads/1/3/0/5/130590356/4716070.pdf
    • http://congresoselis.info/uploads/1/3/0/6/130639545/wavasiv.pdf
    • http://jamesorourkelaw.com/uploads/1/3/0/5/130590613/63c0202ba421c7.pdf
    • http://myovisioninfo.com/uploads/1/3/0/7/130739061/9501814.pdf
    • http://gukud.megadrom.info/uploads/2020/01/28/paxulexaj.pdf
    • http://vipoxofare.sunparkspb.com/uploads/2020/01/29/gaduzirov.pdf
    • http://kexo.globewebguru.com/uploads/2020/01/28/388aeada3d.pdf
    • http://youareheregames.net/uploads/1/3/0/7/130740089/bevubagenakajim.pdf
    • http://mrskiriluk.net/uploads/1/3/0/7/130738528/2f7ea50e4.pdf
    • http://kylaconner.com/uploads/1/3/0/5/130550912/130550912.html#impingement+shoulder+exercises+physical+therapy

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001276.bin
307a834c2be706bd189a23a78cfe4bb9e22d0c2667380afa1a20f45b448f3828		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1276 8092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.