Malicious PDF — malware analysis report

Static analysis result for SHA-256 52f6334cd5c03f9c…

MALICIOUS

PDF

31.7 KB Authoring application: ImageMagick
MD5: fb5db551412b834cb946609f433bbd4e SHA-1: 914135a7a075d25c73fcbbae3d529cf1485285af SHA-256: 52f6334cd5c03f9ce6c5b2a3a3826f83244fc5017b18b313717020c3b50ca31f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute malicious content. ClamAV identified this as Pdf.Phishing.TtraffRobotInstall, and ML classifiers also flagged it as malicious. The embedded URLs are the primary IOCs, suggesting a content-distribution or phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://catvaloreaza.com/uploads/1/3/0/5/130545733/gokijazitakavidi.pdf
    • http://randomminds.net/uploads/1/3/0/5/130539757/bc6144.pdf
    • http://omiluxury.com/uploads/1/3/0/6/130604950/gowixupus-bijomixed-vapidirivuj-vubitafu.pdf
    • http://superiorcartcompany.com/uploads/1/3/0/6/130640109/de3ef6dca.pdf
    • http://casaservicesfinanciers.com/uploads/1/3/0/6/130604615/kimimenifonivur.pdf
    • http://indoorclimatesolutiontn.com/uploads/1/3/0/8/130874330/2810029.pdf
    • http://lowermyratestx.com/uploads/1/3/0/2/130287310/eabbb6407f030.pdf
    • http://anorganizedadventure.com/uploads/1/3/0/4/130483045/2642869.pdf
    • http://redeemerfortbend.com/uploads/1/3/0/6/130605228/zitororewuduxal_xopul_xeleniwibegel_tidubupoworawo.pdf
    • http://allmetusa.com/uploads/1/3/0/7/130776183/fuker_jipenasanuw.pdf
    • http://www.andreistoica.me/uploads/1/3/0/7/130739656/nimije_penijaf.pdf
    • http://mingyiliu.me/uploads/1/3/0/5/130543092/lefif_jupojaxukid_dalire.pdf
    • http://veronikasafarova.com/uploads/1/3/0/6/130604548/voxokekofa_zasugubegaru.pdf
    • http://webdisk.cityofhopechurch.org/uploads/1/3/0/4/130436006/9023440.pdf
    • http://alligatorget.com/uploads/1/3/0/8/130814469/3955247.pdf
    • http://reddirt.info/uploads/1/3/0/4/130435520/679414.pdf
    • http://bb-lash.com/uploads/1/3/0/7/130738632/05391cfcf5a8.pdf
    • http://display2u.com/uploads/1/3/0/6/130603763/1277463.pdf
    • http://www.ethantuckerdesign.com/uploads/1/3/0/6/130620719/vaxom-newefasasodimo-favidaf.pdf
    • http://www.micabotanicals.com/uploads/1/3/0/3/130323097/130323097.html#empirical+cumulative+distribution+function+ggplot

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001f71.bin
66acbe219e01f3a2501bb2ecbfaf17b8b21d3811203f988ca47ee0f812bb8902		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F71 6920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.