Malicious PDF — malware analysis report

Static analysis result for SHA-256 64ca24fcb8efcf0a…

MALICIOUS

PDF

68.6 KB Authoring application: ImageMagick
MD5: 546dd1f44d7ff3b556dc6a5ef9d10e40 SHA-1: 3d86b1f29a33244e57253d28f7483a6b1d65392d SHA-256: 64ca24fcb8efcf0aaf26fc28ae55a44539e5732e86eae4f3fd1b22715219deb5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded URLs, forming a link farm, which is a common technique for phishing and malware distribution. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' and the ML classifier's high confidence score further indicate malicious intent. The document body, though partially obfuscated, mentions 'Mobile number caller location apk', suggesting a lure to download potentially malicious applications disguised as useful tools.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zafipaferem.weebly.com/uploads/1/3/0/2/130289233/vizefajibik.pdf
    • http://qualisplus.com/uploads/1/3/0/5/130550951/sewaw.pdf
    • http://theprofesionalgardener.org/uploads/1/3/0/4/130488320/tipavijoxur.pdf
    • http://paragonhunter.com/uploads/1/3/0/6/130621031/554072.pdf
    • http://sawtoothmountaincider.com/uploads/1/3/0/6/130604305/98cb4176880.pdf
    • http://mrbaugher.com/uploads/1/3/0/6/130604618/jojabasadiwimaxobor.pdf
    • http://jackbrucker.net/uploads/1/3/0/6/130604428/baridodesof_tedujare_foweme.pdf
    • http://visionary-affairs.com/uploads/1/3/0/3/130313208/budipajarevat_juvisuno_tuzemuxoxi.pdf
    • http://dirkhasslehoff.com/uploads/1/3/0/6/130621947/refudiviruvafexa.pdf
    • http://cityonloc.com/uploads/1/3/0/2/130289291/130289291.html#mobile+number+caller+location+apk
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001272.bin
42533df67c304d90a0214c110554934373407c161524ea97124baf1a46e1fd07		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1272 8452 bytes
font_01_sfnt_off0000712e.bin
c85265715462d99135a389c16641bf11adeafc7af154ae85ff618113351bb3ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x712E 38740 bytes
font_02_sfnt_off0000bb6a.bin
f9d18ee2094f64833bee98ee49f444e0457c565835a480bdccadffebdd6bee17		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBB6A 20352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.