Malicious PDF — malware analysis report

Static analysis result for SHA-256 667fabd2676b2125…

MALICIOUS

PDF

40.6 KB Authoring application: QPDF
MD5: 492a9694681c2503033dfe2d6e0ebe99 SHA-1: 8a53567f54836cc53b40af5db8a690bb0967ab82 SHA-256: 667fabd2676b2125fae0da9a0649f4836d60f566c87b5ef316ea60e419630e56
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to distribute further malicious content. ClamAV and ML classifiers also flagged this file as malicious, specifically identifying it as a phishing or traffic-robot-related threat. The embedded URLs are the highest priority IOCs for tracking the distribution network.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://joewuphoto.com/uploads/1/3/0/4/130488252/1108377.pdf
    • http://misssampson.com/uploads/1/3/0/2/130274258/5531867.pdf
    • http://mistersac.net/uploads/1/3/0/7/130738903/pesojokipirudik_wobokipobamat_zuzokelijizasod.pdf
    • http://ladyablesartistry.com/uploads/1/3/0/7/130740490/fivewaxuxumatatijow.pdf
    • http://www.snackdaddiez.com/uploads/1/3/0/7/130776855/00aa65f3fbf7.pdf
    • http://anneweisstherapy.com/uploads/1/3/0/2/130270932/vugesatozebu.pdf
    • http://myjourneyracing.com/uploads/1/3/0/6/130639117/4e49d.pdf
    • http://planalive.com/uploads/1/3/0/3/130323318/3038874.pdf
    • http://tempfilea.com/uploads/1/3/0/7/130739963/kupufuvi.pdf
    • http://splendidserendipityblog.com/uploads/1/3/0/7/130775592/poxewunuguxer.pdf
    • http://poledancepuertorico.com/uploads/1/3/0/8/130813696/lolorapegipepop.pdf
    • http://key-to-style.com/uploads/1/3/0/4/130483396/3132771.pdf
    • http://yhtgxs.bdgct.com/uploads/1/3/0/3/130323479/130323479.html#arthritis+uk+hip+exercises+pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000302c.bin
b3affdfdfee497c2d3230853582529cf395d265bfdbb8cde7d84ae9c33602211		 pdf-font-stream PDF embedded font (sfnt) at offset 0x302C 16036 bytes
font_01_sfnt_off00004727.bin
6fb1bd38e939e0b81b48785c3e526e0a8618d2320dcd73b782dd377bdb593093		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4727 7768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.