Malicious PDF — malware analysis report

Static analysis result for SHA-256 5aab1b31dabc9a48…

MALICIOUS

PDF

32.9 KB Authoring application: PDFedit
MD5: 1066f0f8fd37021133a84d1361fd2fcc SHA-1: 4e765682d6e2a7076a2ce75223e528d7ff8d7b6b SHA-256: 5aab1b31dabc9a483f25929622a9072299d07e0599f02ee1bb24d45900bed0e7
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to redirect users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, classifying it as Pdf.Phishing.TtraffRobotInstall. No scripts were extracted, but the sheer volume of external links suggests a campaign to drive traffic or distribute further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://frankieharrer.com/uploads/1/3/0/5/130543057/mafuwafi.pdf
    • http://dominiquehanover.com/uploads/1/3/0/8/130815437/535773.pdf
    • http://ilovefatjacks.com/uploads/1/3/0/6/130621682/809ba7d3.pdf
    • http://evolvingtogether2019.com/uploads/1/3/0/8/130874266/3380533.pdf
    • http://govanmbeki.com/uploads/1/3/0/7/130739094/cc3e1e7.pdf
    • http://naturebandz.com/uploads/1/3/0/7/130776682/muzosexakexoj_zopolasixe.pdf
    • http://lucasgarron.com/uploads/1/3/0/2/130287284/6198849.pdf
    • http://mx.usakungfu.com/uploads/1/3/0/2/130272370/16164.pdf
    • http://redguitarproductions.org/uploads/1/3/0/2/130270874/powotadezukag-mufujofi-xunowidijajazu.pdf
    • http://sanjyu-oiwai.com/uploads/1/3/0/2/130271171/fotexutejaravilovi.pdf
    • http://northamericanbazi.com/uploads/1/3/0/2/130270859/3849206.pdf
    • http://astrologyandcrystallighttherapy.com/uploads/1/3/0/6/130621149/tozema_ponozinutejego.pdf
    • http://growtem.com/uploads/1/3/0/2/130291783/wifofirip-vuwefufasa.pdf
    • http://eastontaco.com/uploads/1/3/0/5/130551904/6606296.pdf
    • http://jnrconstruction.net/uploads/1/3/0/2/130289386/476416.pdf
    • http://rinpochefilm.com/uploads/1/3/0/5/130551417/xasexaragab.pdf
    • http://lltraininginstitute.net/uploads/1/3/0/6/130604844/gimowuxubitoxu_fidizidinisegi_sasine.pdf
    • http://angelanagle.com/uploads/1/3/0/5/130540874/wabirixabimij-guduvojudek.pdf
    • http://lancasterec.com/uploads/1/3/0/6/130605397/130605397.html#excel+data+analysis+toolpak+t+test

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000024fc.bin
914333e209bb7647e96f6a966377887923e873702d7658967b3b5a5df8ee0361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24FC 7120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.