Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ba92a8980edb2d3…

MALICIOUS

PDF

38.9 KB Authoring application: pdf-parser
MD5: 694e02c9b344c89351d8bfce68448aac SHA-1: b1c268672ad7441be556dc0906fe65955e1be678 SHA-256: 5ba92a8980edb2d3c7d8310bb0cca270112fde318d47bf88077ad6bf8745ba4c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of embedded external links, as detected by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this file as malicious, with ClamAV identifying it as Pdf.Phishing.TtraffRobotInstall. The document body itself contains a mix of text and what appears to be obfuscated content, including numerous URLs that are likely part of a link farm or phishing campaign. The primary attack pattern involves directing users to a vast array of external PDF resources.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://navasotaminerals.com/uploads/1/3/0/6/130604179/purinubirigutilapi.pdf
    • http://sweet-southern-sass-mobile-boutique.com/uploads/1/3/0/6/130620380/nefufox-vaniwovozuvikon.pdf
    • http://acimgejournalist.weebly.com/uploads/1/3/0/5/130545173/fanumakagijuraresof.pdf
    • https://piwedigapiwoki.weebly.com/uploads/1/3/0/6/130604176/zedokaremetodopiro.pdf
    • http://awlesq.com/uploads/1/3/0/5/130590511/3407482.pdf
    • http://thetrainingyogi.com/uploads/1/3/0/2/130270901/5164142.pdf
    • http://quiltwithleslie.com/uploads/1/3/0/2/130288709/1783340.pdf
    • http://midmichiganstays.com/uploads/1/3/0/6/130604220/7807218.pdf
    • https://guzipesezigepof.weebly.com/uploads/1/3/0/5/130588230/neworafisaxisib-zogibipej.pdf
    • http://tosare.click5link.com/uploads/2020/01/28/7250069.pdf
    • http://bafabaton.shaurmoff.com/uploads/2020/01/28/zaxasazof.pdf
    • http://kadafakiw.rps-game.pw/uploads/2020/01/28/a7801.pdf
    • http://toranug.boda-hilda-avelino.com/uploads/2020/01/27/gadidusisaronapep.pdf
    • http://suzukisingandplay.com/uploads/1/3/0/5/130543575/7309016.pdf
    • http://legacytransportation-freightbrokerage.com/uploads/1/3/0/2/130287875/tozozojoxudop-muwesu.pdf
    • https://xigozupeto.weebly.com/uploads/1/3/0/3/130379118/031b1e205f5a8d.pdf
    • https://guferone.weebly.com/uploads/1/3/0/5/130545087/e3b2fef1158a61.pdf
    • http://amazingamericanstv.com/uploads/1/3/0/3/130323707/1eb0dd397f5409d.pdf
    • http://nohomoprod.com/uploads/1/3/0/5/130544889/pagogomivojomed-kuxivaxajuvi-lavak-powutat.pdf
    • http://michaudwellness.com/uploads/1/3/0/6/130604176/130604176.html#past+and+present+tenses+mixed+exercises+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001601.bin
d166bb1a36df0aa28e9c1f84a335be9a8a5531f171cba99ef199cc84d5bf7342		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1601 7776 bytes
font_01_sfnt_off00005c27.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C27 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.