Malicious PDF — malware analysis report

Static analysis result for SHA-256 66d34aa33c1bcdee…

MALICIOUS

PDF

45.9 KB Authoring application: Serif PagePlus
MD5: 7757bd5a78d9f4b0436fb2b398fa3343 SHA-1: f3cbc4b7e4f6fcd7648a35236d972a37b083e66f SHA-256: 66d34aa33c1bcdee5f2eb60c7ecdf9ba79e23873c42a57000bcb31c4a2813152
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a machine learning classifier indicated a high probability of maliciousness. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous external links, suggesting a phishing or malware distribution attempt. While no scripts were directly extracted, the embedded URLs are the primary indicators of malicious activity, likely leading to further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://andreartwork.com/uploads/1/3/0/5/130590412/7575796.pdf
    • http://assistensepay.live/uploads/1/3/0/3/130312971/2d04b31c337.pdf
    • http://nogginblock.net/uploads/1/3/0/5/130589389/928373.pdf
    • http://unioneast.net/uploads/1/3/0/5/130588490/16a640c0f.pdf
    • http://mhdodgebrawl.com/uploads/1/3/0/6/130639227/zajitexaxuvim_bumek_zowamenex.pdf
    • http://lamplify.org/uploads/1/3/0/6/130622025/kuxozinilonezopote.pdf
    • http://nicolitulk.com.au/uploads/1/3/0/7/130740117/130740117.html#odia+bhajan+namita+agrawal+song
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000128f.bin
cb321def18b8cb478c5f9a311837eac4550b7357be81992b4ee4f5bfe9310199		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128F 8672 bytes
font_01_sfnt_off00005307.bin
362efc88ee3e386859df28ac84511f1a9117469b97f067cf82e04b47197d905a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5307 2024 bytes
font_02_sfnt_off00005d43.bin
ad820fd72af8d3eb325aba95552e994ce567668abb5724ff8c75566df96ba8e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D43 13708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.