Malicious PDF — malware analysis report

Static analysis result for SHA-256 66226044f9ed7828…

MALICIOUS

PDF

84.9 KB Authoring application: QPDF
MD5: bea7e00dae3f3dc6b46f9fdec1f388bd SHA-1: f6aa0aeab88422770ab888af2b31b3bbab85237c SHA-256: 66226044f9ed7828bc8a2366a99212433ec4d36cec8722430563cf5b62049aa3
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a phishing lure, specifically using invoice or payment-related language to entice users. It contains a large number of embedded URLs pointing to external PDF files, suggesting a link farm designed to redirect users to malicious content. The ClamAV detection and ML classifier further support its malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chicagokilnrepair.com/uploads/1/3/0/2/130291673/9297728.pdf
    • http://xoadd.me/uploads/1/3/0/4/130476814/pazegi.pdf
    • http://susangcave.com/uploads/1/3/0/2/130287847/malop-pipoxaramuro-nunogobikir.pdf
    • http://houstonsteinway.net/uploads/1/3/0/6/130620968/kobalelawikupat.pdf
    • http://chrisbrooksarchitecture.com/uploads/1/3/0/3/130379132/sevix.pdf
    • http://annafeingold.com/uploads/1/3/0/6/130604801/fidir.pdf
    • http://nickdeanconsulting.com/uploads/1/3/0/7/130775511/wanazinag-vaxituvegafow-gimot-muzewilixap.pdf
    • http://notemonkey.net/uploads/1/3/0/6/130621588/4da5965efbf6.pdf
    • http://patlyonscreations.com/uploads/1/3/0/7/130740010/diraxusar_moxelebe_zudepedirix.pdf
    • http://animalandiagta.com/uploads/1/3/0/6/130604616/ac0443.pdf
    • http://carlosdia.com/uploads/1/3/0/2/130291415/130291415.html#jr+monga+financial+accounting+b+com+1st+year+solution
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004b87.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B87 16036 bytes
font_01_sfnt_off000062ce.bin
0b7eced12b8e518b74e1159a4b19d10252b24b428ad913daa5ae35eb46dfda8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62CE 8712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.