Malicious PDF — malware analysis report

Static analysis result for SHA-256 53a3d9b37a5d7d7e…

MALICIOUS

PDF

45.2 KB Authoring application: Adobe PDF Library 9.0
MD5: 99442413963091f96778a8a4cdb3636b SHA-1: 58ae799d995c5bc794931db8d3c7f318f0a9a8d1 SHA-256: 53a3d9b37a5d7d7e98634af05db14758fd4d93d9dac040fda8f6442907e06ffd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, pointing to external PDF files. This suggests a link farm or redirection mechanism. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 and the ML classifier further support its malicious nature, likely for phishing or traffic generation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://txpublicschoolproud.com/uploads/1/3/0/8/130813398/2899980.pdf
    • http://newyorkcitycriminalattorney.net/uploads/1/3/0/5/130588199/9328993.pdf
    • http://3828riverroadbricknj.com/uploads/1/3/0/7/130775192/bimobazipofama-tajidekifuta-furuvibeneroxik.pdf
    • http://www.thegreaterbeings.com/uploads/1/3/0/3/130323449/medotomu.pdf
    • http://basicallygames.org/uploads/1/3/0/6/130639768/4043434.pdf
    • http://spencerfinancial.net/uploads/1/3/0/5/130589402/gozogebadesu.pdf
    • http://billyjackray.com/uploads/1/3/0/4/130476069/fubigexedaravam-vozulajuzu.pdf
    • http://prettylittlethings.ca/uploads/1/3/0/6/130621909/fozukawavonitem-basuxozekupe-futisix-junitod.pdf
    • http://www.trailchallengechampionships.com/uploads/1/3/0/8/130813883/3b6798a732325f5.pdf
    • http://ace-health.com/uploads/1/3/0/2/130272295/b5124c97.pdf
    • http://dentistryvistaca.com/uploads/1/3/0/9/130969146/vemopawurifibex.pdf
    • http://madeinlarioja.com/uploads/1/3/0/6/130620353/xofoputino_toxegubemupe_niximesojojof_fujegugafajoj.pdf
    • http://holy-post.net/uploads/1/3/0/7/130738641/ganajusawogulolaxe.pdf
    • http://ribligion.com/uploads/1/3/0/4/130477633/a84f3830e02498.pdf
    • http://pathaley.com/uploads/1/3/0/7/130739706/satusewu.pdf
    • http://michaelrogers.info/uploads/1/3/0/5/130589165/3437868.pdf
    • http://www.myocs.info/uploads/1/3/0/5/130543141/765259.pdf
    • http://blakeyhastings.com/uploads/1/3/0/2/130272352/kosutulutavilixep.pdf
    • http://wrml.net/uploads/1/3/0/3/130379285/volopatafur.pdf
    • http://www.episen.fr/uploads/1/3/0/4/130483349/02d49fe41134.pdf
    • http://mail.hippopassion.com/uploads/1/3/0/7/130776452/6977560.pdf
    • http://heatherbloggs.com/uploads/1/3/0/5/130588499/824811.pdf
    • http://74-123-79-231.mgwnet.com/uploads/1/3/0/5/130539078/130539078.html#eustachian+tube+dysfunction+1+month

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e02.bin
2e6d8f7b9b5fd59e43c4fa157453a5d44fbff94cd198f1a8932b9892611091ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E02 8484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.