Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d8ca1a262f3a5c9…

MALICIOUS

PDF

44.7 KB Authoring application: GIMP
MD5: 6b271900535caa0d2f9e57f9fd26a79d SHA-1: a110f5f280b2d7efa5caaa98edce63428b6ad1d5 SHA-256: 5d8ca1a262f3a5c92c82386b6a9d44de7e3fd92650ad2790208a4a05bc39ad4e
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDF files, suggesting a link farm designed to distribute malicious content. The presence of a "download button" heuristic further supports the idea that the document is intended to trick users into downloading additional malicious files. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' reinforces the phishing and download lure nature of this document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://familymedicineokc.com/uploads/1/3/0/7/130776269/wojasitukulozax-ginowalavemeva-vigina.pdf
    • http://store.themovementdr.net/uploads/1/3/0/3/130324136/6116068.pdf
    • http://wsuchallenge.weebly.com/uploads/1/3/0/5/130539357/7464529.pdf
    • http://bigislandpartyrentals.com/uploads/1/3/0/6/130620798/fibeminasazebike.pdf
    • http://huatequelive.com/uploads/1/3/0/5/130550993/renakewurepu.pdf
    • http://mytjscatering.com/uploads/1/3/0/7/130740597/33adb44fb42.pdf
    • http://schmittwoodworkingllc.com/uploads/1/3/0/5/130543787/nujotinakipaxa-mabebuliw-vemuragit-gikixazamu.pdf
    • http://xejojano.oracul.pro/uploads/2020/01/29/9478592.pdf
    • http://dallasmendingminds.com/uploads/1/3/0/7/130739904/merozogefuti.pdf
    • http://allyourbabes.com/uploads/1/3/0/7/130776605/pagabe-jowakefafida-tegixag.pdf
    • http://chewoncakes.com/uploads/1/3/0/2/130274146/130274146.html#utorrent++for+mac+app+store
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001300.bin
95a117a9e372f40c3ec4ec54d128ac3b5761e76a03431feb5da828c49ab495d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1300 8756 bytes
font_01_sfnt_off00006811.bin
45c39c4315a5d00962143d4102937301eb2649728d6de39b959633cfc30365c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6811 16144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.