Malicious PDF — malware analysis report

Static analysis result for SHA-256 61183a9951fff60a…

MALICIOUS

PDF

37.9 KB Authoring application: Mobipocket Creator
MD5: fb8858c2631e9a0bbf62f5bd7389fcea SHA-1: 2265dc2b5e2c403eaa1d1f7ce9c104a0ee769071 SHA-256: 61183a9951fff60af24cd20b7f7e975f4aea88b0c5bd136012e67637060a15e4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files hosted on various domains, indicative of a link farm or a distribution mechanism for further malicious content. ClamAV and ML classifiers strongly indicate maliciousness, and the embedded URLs are the primary indicators of compromise. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://torreypinesgourmet.com/uploads/1/3/0/4/130435745/8aa7ae4bcd255.pdf
    • http://amandawoodshall.com/uploads/1/3/0/2/130291545/pewisefujuropo-bodevogoxipe-dijiluxof-jibof.pdf
    • http://pronaffiliates.net/uploads/1/3/0/2/130274017/cc2579e456fb.pdf
    • http://seniorsafeathome.net/uploads/1/3/0/7/130739379/831154.pdf
    • http://twoblocksfromemancipation.com/uploads/1/3/0/5/130590756/520c15f.pdf
    • http://cpanel.thatguyrocks.com/uploads/1/3/0/5/130539185/lemudajejalavax.pdf
    • http://aptaussieshome.com/uploads/1/3/0/6/130620547/fatitegak.pdf
    • http://nounoula.com/uploads/1/3/0/7/130775331/fb5bf2686.pdf
    • http://daphneself.com/uploads/1/3/0/6/130620416/tisovaxi_bevolawibivux.pdf
    • http://www.pantrycafeandcateringcompany.com/uploads/1/3/0/2/130288551/rimejazutu.pdf
    • http://ainons.com/uploads/1/3/0/5/130590374/b9c303257c6.pdf
    • http://www.yapco.org/uploads/1/3/0/4/130483507/5445218.pdf
    • http://naturepersonal.com/uploads/1/3/0/5/130542859/3452621.pdf
    • http://commstech-hub.eisf.eu/uploads/1/3/0/2/130288397/fujosekof.pdf
    • http://floridareschool.com/uploads/1/3/0/2/130287929/2592490.pdf
    • http://advantagedroneproductions.com/uploads/1/3/0/6/130621214/donaboz.pdf
    • http://ucdemr.com/uploads/1/3/0/7/130775822/jodojuvurilulopodik.pdf
    • http://covenantfellowshipchurches.org/uploads/1/3/0/4/130489371/20e100d.pdf
    • http://buyglycoflex.com/uploads/1/3/0/2/130291699/2210225.pdf
    • http://sfbaytherapist.com/uploads/1/3/0/4/130483409/130483409.html#download+free+classical+vocal+sheet+music

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000334c.bin
4ba6d00e31410e851a33c03774fa15e150ee9566ce34908164ad2588839fbd34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x334C 9660 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.