Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ab72757f678c906…

MALICIOUS

PDF

96.2 KB Authoring application: Poppler-utils
MD5: 28a7bd93797ed33b3283b10f37c62cc5 SHA-1: 1e607c86d0b48027404af2273dfc7d7f3bdef75b SHA-256: 5ab72757f678c906f4ee9e2b04e02487f7f032211a16384231186d4354c8f707
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded external links, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and an ML classifier also flagged it as malicious. The presence of numerous links suggests an attempt to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tahmoorbaptistchurch.com/uploads/1/3/0/7/130739198/6196449.pdf
    • http://atlantapermaculture.com/uploads/1/3/0/6/130621908/bd1eff05200cc.pdf
    • http://celebrationandpartysupplies.com/uploads/1/3/0/7/130740113/3c173061315afdb.pdf
    • http://3828riverroadbricknj.com/uploads/1/3/0/3/130324158/4974643.pdf
    • http://sookehomes.com/uploads/1/3/0/4/130483821/simivunakik-vunugodase-wofuzilubedu-ravuko.pdf
    • http://mooncliptool.com/uploads/1/3/0/7/130775228/9402910.pdf
    • http://blackmountainflood.org/uploads/1/3/0/7/130776176/3152ddadead7330.pdf
    • http://zoolr.com/uploads/1/3/0/6/130620436/5b914933d24ad.pdf
    • http://219garage.com/uploads/1/3/0/7/130739294/1823744.pdf
    • http://ravaflav.com/uploads/1/3/0/6/130620839/816e7c067.pdf
    • http://guantletters.com/uploads/1/3/0/5/130551585/6533225.pdf
    • http://answersoperation.org/uploads/1/3/0/6/130621143/rotomajaw-nisipivan-jetidaz.pdf
    • http://dollarsfordoorsllc.com/uploads/1/3/0/5/130543878/2383875.pdf
    • http://sloanemorocco-efolio.com/uploads/1/3/0/5/130588515/gavawi.pdf
    • http://northwestfineartstudio.com/uploads/1/3/0/7/130776436/30a050b97009e.pdf
    • http://artbodysoulstudios.com/uploads/1/3/0/5/130538870/vanupajolukad.pdf
    • http://fumblydiddles2.com/uploads/1/3/0/7/130739631/3252551.pdf
    • http://moodlabnewlife.nl/uploads/1/3/0/7/130738841/130738841.html#elaichi+ki+kheti+in+hindi
    • http://fedorahosted.org/lohit
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e364.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE364 1388 bytes
font_01_sfnt_off0000ee0e.bin
34ff9237d3e952df241eb86d09f3f08722d185e34448e49db9e27626baecf884		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE0E 20340 bytes
font_02_sfnt_off0001237a.bin
6f45ba7dfc180d8955ddf035f630942fd8290db10e4544948c13f91310bbe9f7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1237A 6756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.