Malicious PDF — malware analysis report

Static analysis result for SHA-256 600ee7c8df352668…

MALICIOUS

PDF

87.6 KB Authoring application: Nitro PDF
MD5: 4a48a87c6ab753149fe7352cc9407ed8 SHA-1: ad8af8c2edfd1df7564ce5473695a0e8a1cafddf SHA-256: 600ee7c8df352668b3a00d9ac8d4a59f24b13ab907feb8598c2ab5907156d17a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO poisoning or to redirect users to malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to lead the user to a malicious payload or phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rosehillnow.com/uploads/1/3/0/5/130589229/dumijuxu.pdf
    • http://mikewrong.com/uploads/1/3/0/6/130604220/subumipu_gaxodapekuxu.pdf
    • http://lis.aewjasw.icu/uploads/2020/01/27/sidegigoxowoji.pdf
    • http://rwpdivephotography.com/uploads/1/3/0/5/130544591/liliwazonixube.pdf
    • http://jofev.kattyb.online/uploads/2020/01/27/tupevojeba_wumolisuvabosit_mokosusud.pdf
    • http://coca-cola-promo.icu/uploads/2020/01/28/5380dfe8775.pdf
    • http://apologiesfrommen.com/uploads/1/3/0/5/130539871/17b33e2.pdf
    • http://bigfatdomains.com/uploads/2020/01/27/bunasupelowax.pdf
    • http://dakivog.remsokna.ru/uploads/2020/01/28/pirenijiret.pdf
    • https://xoxigasake.weebly.com/uploads/1/3/0/5/130545827/buzifawal-tudijozagenoxi-muwomepiz.pdf
    • http://vorelisuw.audiostart63.icu/uploads/2020/01/28/wudabejejiwa_vowajus.pdf
    • http://cfthomas.com/uploads/1/3/0/6/130621248/130621248.html#bruce+banner+hulk+movie
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012f4.bin
7b0887810ad4ca1dfdb1d6d12172420bcfb35be71eade05a07edaa02158f89df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F4 8892 bytes
font_01_sfnt_off00008cb5.bin
480437884ac0b6d9fcc812d03c56ed28f568666de2b30b44bd42ac9599fc2464		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CB5 2680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.