Malicious PDF — malware analysis report

Static analysis result for SHA-256 61e6cb0d1f068d87…

MALICIOUS

PDF

39.6 KB Authoring application: Soda PDF
MD5: 2e84177ae48825a6819edb7c17e4c551 SHA-1: fbab264e4a5c023bb102ee9a5e380e0987466371 SHA-256: 61e6cb0d1f068d8799285ef1f0d6d20130217ac6ebc18c04c85702b8272d1c4e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, indicative of a link farm used for SEO manipulation or malware distribution. ClamAV detected this as Pdf.Phishing.TtraffRobotInstall, and a machine learning classifier also flagged it as malicious. The embedded URLs likely serve as a lure to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sideshow.kameronmessmer.com/uploads/1/3/0/6/130604366/ae4c00b.pdf
    • http://mx.jointforcestsd.com/uploads/1/3/0/5/130540197/nigugaruzo-jamugabat-waketem-pifalejewuro.pdf
    • http://www.abareofficial.com/uploads/1/3/0/4/130489398/jilatapagifa-kogivokasexunot-gewoxabegixa-gibujof.pdf
    • http://karudan.site/uploads/1/3/0/2/130270923/3db0ebf34440d.pdf
    • http://arnould-achats-consulting.com/uploads/1/3/0/8/130815482/14bcf0f6a.pdf
    • http://accordingtoiris.com/uploads/1/3/0/5/130551064/3eb73e22420.pdf
    • http://mgmtinsight.net/uploads/1/3/0/8/130874162/favimejemezekad.pdf
    • http://barrasfordgarage.com/uploads/1/3/0/7/130740385/5144912.pdf
    • http://boyscoutpopcorn.online/uploads/1/3/0/6/130621405/bemededopevum.pdf
    • http://mykedixon.com/uploads/1/3/0/2/130287945/cc5e288ab16f5a5.pdf
    • http://www.flewthecoop.com.au/uploads/1/3/0/2/130287890/raduwefubixumasus.pdf
    • http://hostmaster.ubonpartners.com/uploads/1/3/0/9/130969555/fataxipogemada_rojegu_vipulok.pdf
    • http://mx.pdcopportunitycenter.org/uploads/1/3/0/6/130604168/efc2d40079.pdf
    • http://community-power.org/uploads/1/3/0/6/130605217/vokated_nujofafebode_wases.pdf
    • http://meetkennedie.com/uploads/1/3/0/6/130621755/fagogutuzosaxus-bixiduguvu.pdf
    • http://onnellisuuskoulu.net/uploads/1/3/0/6/130621055/gijegikinu.pdf
    • http://beyondbedside.com/uploads/1/3/0/5/130543874/52221.pdf
    • http://cjfalconer.com/uploads/1/3/0/5/130538863/nabivaxar-nagazodigis.pdf
    • http://nourishingpacificnw.com/uploads/1/3/0/7/130739756/natunesozoxof.pdf
    • http://lykkenkommerindefra.dk/uploads/1/3/0/8/130874678/130874678.html#autocad+civil+3d+2019+fundamentals+sdc

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003e26.bin
27c2fe59b3173a108c702b42aee05b5b4b28ebcfbaf6674b3b94ded479007eb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E26 7168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.