Malicious PDF — malware analysis report

Static analysis result for SHA-256 60c60741936b19c9…

MALICIOUS

PDF

43.4 KB Authoring application: GIMP
MD5: efa29eed839a27006103474c70786efb SHA-1: 816edd4d9e74c5c52329bc2bc16c4a996aaf94f2 SHA-256: 60c60741936b19c9c32bf2ffe5b8d5fd958681813768b1642c2789918276d642
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and a machine learning classifier also flagged it as malicious. The document body contains garbled text, suggesting it is not intended for direct user consumption but rather as a container for the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://aakyoga.com/uploads/1/3/0/3/130379604/91378d0d0042c33.pdf
    • http://express1shipper.com/uploads/1/3/0/2/130291696/8588584b46109.pdf
    • http://npaevents.com/uploads/1/3/0/6/130620736/4658370.pdf
    • http://msmailadministrator.net/uploads/1/3/0/7/130776130/934440.pdf
    • http://giustinasurbone.com/uploads/1/3/0/4/130476205/nitufor.pdf
    • http://pagangarden.com/uploads/1/3/0/6/130605420/4665770.pdf
    • http://joshuahorrom.com/uploads/1/3/0/4/130476732/pafexupuwuwabonigi.pdf
    • http://bespoken4u.com/uploads/1/3/0/7/130740129/6719467.pdf
    • http://nevadateach.com/uploads/1/3/0/7/130740551/3054778.pdf
    • http://onestopworkholding.com/uploads/1/3/0/7/130738996/gemilodarazu.pdf
    • http://bbfcafe.shop/uploads/1/3/0/2/130289196/5740599.pdf
    • http://patlyonscreations.com/uploads/1/3/0/8/130873992/4d40bdd75198419.pdf
    • http://batonrougehomeinspector.org/uploads/1/3/0/4/130476062/981760.pdf
    • http://doughertybl.com/uploads/1/3/0/5/130589297/majodewa.pdf
    • http://peake.design/uploads/1/3/0/3/130379178/7949097.pdf
    • http://benssmith.com/uploads/1/3/0/4/130435834/vigituwuxebebepature.pdf
    • http://pactup.com/uploads/1/3/0/7/130776407/8de8d4bd0dd.pdf
    • http://pipelinepress.com/uploads/1/3/0/7/130776218/webomutazo.pdf
    • http://eg45a.bpmtc.com/uploads/1/3/0/7/130776756/130776756.html#pneumocystis+carinii+pneumonia+diagnostic+test
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003ec0.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3EC0 2864 bytes
font_01_sfnt_off00004b69.bin
abb8500ef1ab8c68d11eb4c2cb7adf93096b6b3c8f0b5b00cc9391a7c5a378bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B69 8284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.