Malicious PDF — malware analysis report

Static analysis result for SHA-256 54405a1b3fb1f058…

MALICIOUS

PDF

48.7 KB Authoring application: Poppler-utils
MD5: d50152416edcf9b170959fd40e5ebd25 SHA-1: c79b20a4e56cb485c2ebd4d6bc6d1a3bea5b2fc2 SHA-256: 54405a1b3fb1f058d5c942369eba8a9ebcdba92dde32fe64f1b2b02aca9dfb9d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files hosted on various domains, indicating a link farm or distribution network. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly suggest malicious intent, likely related to phishing or traffic redirection. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mylabeau.com/uploads/1/3/0/6/130621954/8a7ee5db3.pdf
    • http://rachaelschafergallery.club/uploads/1/3/0/7/130739129/rifigeni.pdf
    • http://gajon.info/uploads/1/3/0/6/130621533/xijenigotus.pdf
    • http://immaculateheart.us/uploads/1/3/0/8/130814992/196fff8dd0c.pdf
    • http://reneedunbar.com/uploads/1/3/0/2/130288661/3369424.pdf
    • http://jasonandjulie.net/uploads/1/3/0/7/130775257/5fe7cd59a660966.pdf
    • http://projectgrowca.com/uploads/1/3/0/4/130488569/45c65.pdf
    • http://www.aariflee.net/uploads/1/3/0/6/130604392/37042.pdf
    • http://wilsoninteriordesign.com/uploads/1/3/0/5/130551805/gurimusuve_rizakejapa.pdf
    • http://bjh.design/uploads/1/3/0/5/130543006/d5cc81c81241bc.pdf
    • http://kendubner.net/uploads/1/3/0/7/130775475/wubinidiminozazitu.pdf
    • http://jolenesphotography.com/uploads/1/3/0/4/130476144/wimodesazivodap-wikizexaduza.pdf
    • http://pagice.com/uploads/1/3/0/6/130620898/a6a1022dd1b71.pdf
    • http://nandamay.com/uploads/1/3/0/8/130813144/9255701.pdf
    • http://bloodmoonfaire.com/uploads/1/3/0/7/130775542/93304.pdf
    • http://digital-chicago.net/uploads/1/3/0/6/130605502/rutakobewi.pdf
    • http://mivux.ch/uploads/1/3/0/5/130590008/vukowejapixu-zonimeluwux.pdf
    • http://holypost.us/uploads/1/3/0/6/130621401/3104701.pdf
    • http://kinksync.com/uploads/1/3/0/5/130551364/nepofimanom_gefifurewid.pdf
    • http://shopsimplybundles.com/uploads/1/3/0/2/130289745/sakuzovuz-vewefosimos-jorawuraral-tavujanalusoved.pdf
    • http://muzoemeralds.net/uploads/1/3/0/7/130740072/8093800.pdf
    • http://desatascosterrassa.com/uploads/1/3/0/3/130323666/sobex_bejerofiwe.pdf
    • http://ys1jb.bpmtc.com/uploads/1/3/0/2/130273801/130273801.html#surgical+treatment+for+perianal+abscess
    • http://gajon.info/uploads/1/3/0/6/1306215

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004579.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4579 16036 bytes
font_01_sfnt_off00005cbf.bin
848010a8ce2d6c065768d78cc8b76b0f2495242b0849824c44454e7c5a22b6f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CBF 8608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.