Malicious PDF — malware analysis report

Static analysis result for SHA-256 5ce77d57e3f1c634…

MALICIOUS

PDF

31.6 KB Authoring application: Pdftk
MD5: 647487323947ac7807ac382d50034043 SHA-1: d70c4fa5e5957148e1425b91607e3dfbba554180 SHA-256: 5ce77d57e3f1c634912a0ce19af135797a2a08210e90fab05a6feedf1a881005
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, a technique often used for SEO manipulation or to distribute malicious payloads. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body itself appears to be corrupted or contains irrelevant data, but the presence of numerous URLs points to a phishing or content distribution attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thepeachesclub.com/uploads/1/3/0/5/130588657/susokewabatur.pdf
    • http://newencores.com/uploads/1/3/0/2/130274151/6172344.pdf
    • http://www.utabletennis.com/uploads/1/3/0/4/130494636/zuzodawuj_guzamudugo_famekejonejixin_gudelevifapum.pdf
    • http://madebyclaireb.com/uploads/1/3/0/5/130590613/tidufowufuf-ganokidupuz.pdf
    • http://myssatraining.com/uploads/1/3/0/4/130483858/gefatabinidofexuga.pdf
    • http://refinishedcabinets.com/uploads/1/3/0/4/130483537/2fdd5.pdf
    • http://insecureexchange.net/uploads/1/3/0/5/130546543/1962595.pdf
    • http://www.audreyneville.com/uploads/1/3/0/5/130589035/1794836.pdf
    • http://lushami.com/uploads/1/3/0/5/130551795/tebot.pdf
    • http://missourichapter7.com/uploads/1/3/0/3/130323928/9754832.pdf
    • http://dinnerandacupcake.com/uploads/1/3/0/3/130323160/ledisurajabekukaza.pdf
    • http://nolaclay.com/uploads/1/3/0/2/130270893/777e9be.pdf
    • http://fuckdoors.com/uploads/1/3/0/5/130539888/pebufapawo.pdf
    • http://alleylouisville.com/uploads/1/3/0/5/130540609/minafob_pugaxunikub_sikipaxowajowil_bubego.pdf
    • http://brennankryan.com/uploads/1/3/0/3/130323253/2757540.pdf
    • http://www.thewoolproject.com/uploads/1/3/0/5/130550777/e3e9b420e8.pdf
    • http://photostudiescollege.net/uploads/1/3/0/2/130270956/44ab591d5.pdf
    • http://mysticmancreations.com/uploads/1/3/0/4/130483393/bewuzur-doxuzawipojuw-wiwibuzawo-kakinajiwiv.pdf
    • http://riveryogastudio.com/uploads/1/3/0/7/130739975/fiwajigif.pdf
    • http://bmn4pwxv.brdge.org/uploads/1/3/0/6/130639954/130639954.html#brother+iz+somewhere+over+the+rainbow+chords

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001e88.bin
87d5f90d5a0960d79044d427069b79ed7b23bbfa4c4ae27b9ab120fa84a8f57c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E88 7088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.