Malicious PDF — malware analysis report

Static analysis result for SHA-256 642b4db2b1968c41…

MALICIOUS

PDF

43.6 KB Authoring application: PDF Studio
MD5: 6b840c6210ee0ad5a4e5353c97436ff9 SHA-1: c740654ee7aa40f2d71fbf8460d5effb3376ac2a SHA-256: 642b4db2b1968c41088e82687f2ab4b10e98f0153269f2db138dceaad0637f9f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0. The document body contains a large number of embedded URLs, suggesting a phishing or SEO spam campaign. The primary function appears to be directing users to external PDF files hosted on various domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://delukavajuvafe.weebly.com/uploads/1/3/0/2/130288932/6c8335bc0ad2ed.pdf
    • https://vexupowira.weebly.com/uploads/1/3/0/4/130483632/sojekaj.pdf
    • http://nefekakara.zahopl.xyz/uploads/2020/01/27/343d06508f3e.pdf
    • http://laz.therutor.tech/uploads/2020/01/28/pajanuke.pdf
    • http://mofe.vid-downloader.tech/uploads/2020/01/29/556071.pdf
    • http://merive.arenda-apparata.ru/uploads/2020/01/28/e04fc3d81015ab.pdf
    • http://pimuninafa.agm90.icu/uploads/2020/01/28/vujomurobugulugenag.pdf
    • https://dukerejopikider.weebly.com/uploads/1/3/0/2/130291489/08e764c5563e.pdf
    • http://sana.activityedge.com/uploads/2020/01/28/4615246.pdf
    • http://vuser.tht-premiere.online/uploads/2020/01/28/rezonuxena-renete-murep.pdf
    • http://xapasa.zhenskiedni.ru/uploads/2020/01/28/9af4e15d4692f.pdf
    • http://wefaxe.slimtelo.pw/uploads/2020/01/27/59fe055c865566.pdf
    • http://xbysantana.com/uploads/1/3/0/4/130476601/9152896.pdf
    • http://duze.dateloveers.online/uploads/2020/01/27/gilefavajafini.pdf
    • http://lnstagram-helpservice.com/uploads/2020/01/29/mosidux.pdf
    • http://arsic.org/uploads/1/3/0/2/130272906/bisobedob.pdf
    • http://fakonon.avtovikuppro.ru/uploads/2020/01/28/32b4f39ef.pdf
    • http://pwdutilityplans.com/uploads/1/3/0/5/130550697/numamuketida_wifow_zojuxaku_kafivuwuraxidi.pdf
    • http://jova.navigator-znaniy.ru/uploads/2020/01/28/965816051187415.pdf
    • http://abylcoaching.com/uploads/1/3/0/5/130588276/18442b01990.pdf
    • http://josogili.vipiski-besplatno19.icu/uploads/2020/01/29/4f2efef9fe.pdf
    • https://sokikuded.weebly.com/uploads/1/3/0/6/130603982/7427342.pdf
    • http://ubezpieczeniatrawinski-chelmza.pl/uploads/1/3/0/5/130588560/6344716.pdf
    • http://benchmarkcoachingapp.com/uploads/1/3/0/5/130543787/zorum_wesuzuwaso_toviwori.pdf
    • http://violetscape.com/uploads/1/3/0/6/130621219/kegitasem-nedotijutagore.pdf
    • http://shopdorothys.com/uploads/1/3/0/4/130483911/130483911.html#payback+period+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017cf.bin
aebedf2605fc593ff228ae1ad3327e7d441020a0e4c5e07ef37ea18bd0807cb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17CF 8140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.