Malicious PDF — malware analysis report

Static analysis result for SHA-256 663cedb104294874…

MALICIOUS

PDF

35.5 KB Authoring application: Solid Converter PDF
MD5: 20e2693871503c8ed65d0e2f96fa0caa SHA-1: 252b3bb42819913a3f2596f9cf21cd5dff66fe5d SHA-256: 663cedb1042948746785eb9c8e9b721b6bcbaa222aad6232fd2194614441e4e9
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this file as malicious, with ClamAV specifically identifying it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The embedded URLs likely lead to phishing content or further malware distribution, aligning with a spearphishing attachment attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.mccallumjones.com/uploads/1/3/0/4/130488197/5550470.pdf
    • http://cen01-67-18-74-23.noc1.net/uploads/1/3/0/5/130539981/334047.pdf
    • http://treelance.com/uploads/1/3/0/5/130541073/6677027.pdf
    • http://rockymountainoverlandexpo.com/uploads/1/3/0/3/130379380/b3c1b60ee4.pdf
    • http://crybaby.club/uploads/1/3/0/7/130775632/8740863.pdf
    • http://sp9interactive.com.au/uploads/1/3/0/5/130539981/8d0023f5d1.pdf
    • http://platosretreat.net/uploads/1/3/0/7/130739298/zurajozuxa_fojited.pdf
    • http://minutegrillers.com/uploads/1/3/0/7/130738978/piloduxefus_vujizoxa_toxoso_rusewor.pdf
    • http://yourchartersoffreedom.com/uploads/1/3/0/7/130775375/rifurotire_rezapeluvu_dajagozutimo_sakokuvusuxemol.pdf
    • http://weblacarte.com/uploads/1/3/0/5/130551144/zowebasuxotum_zixura.pdf
    • http://rhinobullybook.com/uploads/1/3/0/6/130604694/629d6b9187aa42f.pdf
    • http://mta-sts.mail.genawave.com/uploads/1/3/0/7/130739658/sovofuvul.pdf
    • http://mundofeliz.es/uploads/1/3/0/7/130776252/lametipezu.pdf
    • http://mail.trouwautoroden.nl/uploads/1/3/0/2/130291712/5d136cc324b2d3.pdf
    • http://cadjungle.net/uploads/1/3/0/6/130621669/foxuborokezefumaroru.pdf
    • http://mta-sts.mx.inspiredimagecreations.com/uploads/1/3/0/8/130874278/zodaba.pdf
    • http://jilliananderic.com/uploads/1/3/0/2/130271150/3b307f27fa35.pdf
    • http://daduhuixianjinbaijiale.br3h.com/uploads/1/3/0/9/130969558/130969558.html#difference+between+valid+contract+void+contract+and+voidable+contract

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f0d.bin
209aad23e484ed930a1dea70b62f891b445fa3bda4b13baf90eba8f2237738a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F0D 7400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.