Malicious PDF — malware analysis report

Static analysis result for SHA-256 6369c04c40676b15…

MALICIOUS

PDF

47.0 KB Authoring application: GIMP
MD5: c8fdb67da5eb4d75d522d101a757c3d3 SHA-1: 5350c0885b243d81afa3a5b3575781ce81584a73 SHA-256: 6369c04c40676b15548ffafd2697e4b40602f9575bede205a64732062c33a2e6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs pointing to external PDF files, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly suggest malicious intent. The document body, though heavily obfuscated, contains references to URLs that are also listed in the extracted URLs, reinforcing the link farm attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://susu.token-movil.com/uploads/2020/01/28/d3d400e5ad3ab.pdf
    • http://musicspabox.com/uploads/1/3/0/2/130271244/titepofukebu.pdf
    • http://juxasas.kupitzerkalo.ru/uploads/2020/01/27/5df93c83599.pdf
    • http://callowayumc.org/uploads/1/3/0/6/130604701/4270971.pdf
    • http://mokka.app/uploads/1/3/0/5/130544447/b3d3fa14f37d64.pdf
    • http://shakespublications.com/uploads/1/3/0/6/130604154/xitemesilananunem.pdf
    • http://newlifedestination.com/uploads/1/3/0/5/130541803/tixafufakikabufa.pdf
    • http://miracleinabucket.com/uploads/1/3/0/5/130539265/130539265.html#chinese+calligraphy+font+for+microsoft+word
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001139.bin
21e3521385712649aae23c6860bb1666f3b6efe883ae23925943548faf4aef38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1139 8000 bytes
font_01_sfnt_off000054bf.bin
18d09f2bc9dca2f823ad8c170ea57e80abf33bbc2c39970c88cbe44166cc1e50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54BF 6252 bytes
font_02_sfnt_off0000682c.bin
f807e5acc3d3c488cd41d01762f90ff823422888615a479e9028449765281c76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x682C 1644 bytes
font_03_sfnt_off00007034.bin
b3e61b7d7b8dbcb25e06124f2613e424f2009472c0f20d06ef3485b30c070708		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7034 16192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.