Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c39511ace70e879…

MALICIOUS

PDF

44.2 KB Authoring application: Pdftk
MD5: cffe754c9f6a74d2f5e9bbe9ad41bdad SHA-1: 54529f575bf724d45fc585761d2efe039f59161d SHA-256: 5c39511ace70e879ac6740ec98764ae9ecf36ae0173c30f64b2afcd93b148fe3
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass external link farm pointing to numerous PDF files, a technique often used for SEO manipulation or to host malicious payloads. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent, likely related to phishing or malware distribution. The presence of embedded URLs and the heuristic 'SE_DOWNLOAD_BUTTON' suggest the document is designed to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://septicsystemcost.net/uploads/1/3/0/8/130813855/zixukifeluj.pdf
    • http://chopsticksfortwo.com/uploads/1/3/0/5/130588237/subulanene.pdf
    • http://www.gaurdlifenow.com/uploads/1/3/0/7/130776056/6534929.pdf
    • http://4phs.com/uploads/1/3/0/5/130588857/bebusigigunuzat_vadubi_xunopunu.pdf
    • http://shop.coquito.us/uploads/1/3/0/6/130621043/pinixejazoteradabe.pdf
    • http://www.southtacomamassage.com/uploads/1/3/0/6/130604872/1601457.pdf
    • http://www.blantyretravel.co.uk/uploads/1/3/0/6/130604377/butafisapo.pdf
    • http://kaptivateinc.com/uploads/1/3/0/6/130604419/b02abe2d3.pdf
    • http://lavalashes.net/uploads/1/3/0/5/130589239/nosirovafikugafuk.pdf
    • http://powertospeaknaked.com/uploads/1/3/0/6/130620693/sofofanetavoraxozizo.pdf
    • http://x0955303xstreamtravel.xsideas.com/uploads/1/3/0/5/130539305/130539305.html#best+english+language+textbook+pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003ea9.bin
cd75142faa664384e018e5309c2a17c6a3636875fb254f0a384bb7d06e04a3f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3EA9 16232 bytes
font_01_sfnt_off000056ac.bin
1de3e8b19713b80c14094a66c2580eee6df0bf955b0402c77e0151f2e37ded92		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56AC 8256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.