Malicious PDF — malware analysis report

Static analysis result for SHA-256 5cc99d1fc967194c…

MALICIOUS

PDF

52.7 KB Authoring application: Mobipocket Creator
MD5: b45cf4a53f16940319d8ea5e20bcca2e SHA-1: 2559266847a987de62ad5dbf1b79907c0a32f9da SHA-256: 5cc99d1fc967194cbd95714ae19c462481b33bd767ebfeefb6927a8a372eebd1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute malicious content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', suggesting a phishing or traffic redirection purpose. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sprucestreetlandscaping.com/uploads/1/3/0/2/130288380/3180803.pdf
    • http://hoysi.com/uploads/1/3/0/7/130738576/2816672.pdf
    • http://natedhill.com/uploads/1/3/0/5/130588675/9719333.pdf
    • http://mofosters.com/uploads/1/3/0/5/130550688/jaxegadalesi.pdf
    • http://nmediadigital.com/uploads/1/3/0/7/130775012/nibebegafepin_xalirow_topufagur_lizejorag.pdf
    • http://elfriedebartnitzky.com/uploads/1/3/0/5/130545128/3151969.pdf
    • http://smashmouthsweetsllc.com/uploads/1/3/0/5/130544687/dajalego-wefunurujaxexi.pdf
    • http://sigal.ca/uploads/1/3/0/6/130620379/f6fe804c68634.pdf
    • http://good-neighbor-network.com/uploads/1/3/0/6/130605275/4975877.pdf
    • http://completebeginners.net/uploads/1/3/0/5/130551697/8e9ebba6f138.pdf
    • http://garyzancanelli3.com/uploads/1/3/0/6/130604299/7401770.pdf
    • http://www.jesalynmaeharper.com/uploads/1/3/0/4/130483050/gonexok.pdf
    • http://abrandex-design.com/uploads/1/3/0/5/130588924/3906657.pdf
    • http://htrdrivingschool.com/uploads/1/3/0/6/130639294/kofasoruvagobi.pdf
    • http://nordykeart.com/uploads/1/3/0/7/130775837/dolasajimumu.pdf
    • http://weldamania.com/uploads/1/3/0/7/130740207/d76a1778c28ab3.pdf
    • http://www.christinaherrera.com/uploads/1/3/0/5/130539757/pukizuwamukajipewoku.pdf
    • http://tsjgc.com/uploads/1/3/0/5/130590059/ac773cd6e09fde8.pdf
    • http://legiontechconsultinggroup.com/uploads/1/3/0/7/130740022/dinogidej.pdf
    • http://lamee-dark-version3-de.devsite-1.com/uploads/1/3/0/3/130313314/130313314.html#sickle+cell+trait+vs.+disease
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f18.bin
f440a0e1d14a3b3ef2e8e29c20874aa12f249fd37edd8ceda3c82a51e9c8bf12		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF18 8924 bytes
font_01_sfnt_off0000826c.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x826C 2864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.