Malicious PDF — malware analysis report

Static analysis result for SHA-256 62d65a35c6c4143d…

MALICIOUS

PDF

35.3 KB Authoring application: ImageMagick
MD5: 3120a51be4b664d95f9d420f1ee3c2c1 SHA-1: cae8baea8c330283230ed2ae48ce9890e2428bad SHA-256: 62d65a35c6c4143d0ec25b00f454e9d51523a4246d03c4b6730441309e1f4a41
312 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF contains an embedded JavaScript payload that likely attempts to download and execute a second-stage payload from one of the numerous linked URLs. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the heuristic 'PDF_SEO_LINK_FARM' strongly indicate a phishing or malware distribution campaign. The document body's mention of 'Windows shell scripting commands pdf' and 'PowerShell' further supports the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 7

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Embedded script payload in PDF stream high PDF_EMBEDDED_SCRIPT_PAYLOAD
    PDF stream bytes contain script execution markers such as ActiveXObject/CreateObject, WScript.Shell, PowerShell, or shell-exec primitives. This is stronger than ordinary PDF JavaScript because it indicates a staged external script payload hidden in stream bytes.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Suspicious extracted artifact medium EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://canopymgm.com/uploads/1/3/0/2/130274343/mogonetapuga.pdf
    • http://agslist.com/uploads/1/3/0/5/130538891/ee28e398c79e4.pdf
    • http://richmondvideoservices.com/uploads/1/3/0/6/130604888/9188233.pdf
    • http://gotcertifications.com/uploads/1/3/0/8/130814241/1788104.pdf
    • http://mixforteachers.com/uploads/1/3/0/5/130590477/8640661.pdf
    • http://mofflongboards.com/uploads/1/3/0/6/130605453/8536723.pdf
    • http://brandgrenade.com/uploads/1/3/0/6/130621205/5724534.pdf
    • http://mytorialex.com/uploads/1/3/0/2/130270742/3833403.pdf
    • http://beboldbebrilliant.com/uploads/1/3/0/5/130544687/maxizinajuk-xekesi.pdf
    • http://kohlsfoamsystemsmn.com/uploads/1/3/0/8/130874606/bobizopamixenib.pdf
    • http://montevista.ca/uploads/1/3/0/2/130287462/sijob.pdf
    • http://www.biblestudyplusinfo.com/uploads/1/3/0/3/130379167/2244ff59a.pdf
    • http://giancarlopalacios.com/uploads/1/3/0/3/130379142/1af841ab5d526b4.pdf
    • http://alfnevents.org/uploads/1/3/0/6/130604525/cd9a03636a38f9c.pdf
    • http://0fyq5.bpmtc.com/uploads/1/3/0/5/130589293/130589293.html#windows+shell+scripting+commands+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
embedded_pdf_script_0000008c.bin
45ea45af3544485be64adbd0ad40a4bdbdf4daab6a9edafac23e2adce8dc559d		 pdf-embedded-script PDF decompressed stream script payload at offset 0x8C 36147 bytes
Detection
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0
Obfuscation or payload: likely
Carved artifact contains 1 shell/COM execution token(s).
font_00_sfnt_off00002f1a.bin
f89919ec9e3a7c2f94dfc9d55ed4d84a8fc7e29b24e531354e4ca35854e84ac5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F1A 8324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.