Malicious PDF — malware analysis report

Static analysis result for SHA-256 6836b4f9684dcd6f…

MALICIOUS

PDF

30.5 KB Authoring application: PDFedit
MD5: 473b56d5ba70a8558c5440db077a110d SHA-1: c47e37e0b5377d84445ae66430100368512cbb97 SHA-256: 6836b4f9684dcd6f1340dfc9cf814502e5215a813d0c1977fa13781924784bc7
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0. The document body contains a large number of embedded URLs pointing to other PDF files. This suggests a tactic to distribute malicious content or manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://appointedtherapeuticmassage.net/uploads/1/3/0/5/130590117/lanexiforeruvojigoku.pdf
    • http://lwmdtest.com/uploads/1/3/0/3/130313346/xaruvumewefagi-rigudif-sulanudogonino-pajunixuparuw.pdf
    • http://kentmindfulnesscentre.org/uploads/1/3/0/6/130621411/vekokuvol-bepib-futizufum-xidaxugag.pdf
    • http://thepostellexperience.com/uploads/1/3/0/4/130483307/8343627.pdf
    • http://greenaccountingservices.us/uploads/1/3/0/5/130590154/3773192.pdf
    • http://marencoartrestoration.com/uploads/1/3/0/6/130621421/56a2fef.pdf
    • http://petrapreschool.net/uploads/1/3/0/6/130621345/4632833.pdf
    • http://propertysingaporebestbuy.com/uploads/1/3/0/4/130475981/7f1c81ffd7.pdf
    • http://mrbuttsushistory.com/uploads/1/3/0/6/130620878/felopiva_jisenunenanexo_lujeni_jojadaw.pdf
    • http://mizorambiblecollege.weebly.com/uploads/1/3/0/2/130271030/5647576.pdf
    • http://soapytoad.com/uploads/1/3/0/5/130589159/telatotutogap_miwabewod.pdf
    • http://gajaxat.insnet.ru/uploads/2020/01/27/vifokuga_bujelex_genoweja.pdf
    • http://nuvisionconstruction.com/uploads/1/3/0/4/130490106/suwubebomasuwuv_vuxakigoxokomi.pdf
    • http://montecitoluxuryrealty.com/uploads/1/3/0/4/130483939/papuvavinajisogit.pdf
    • https://damutimofes.weebly.com/uploads/1/3/0/4/130475921/rufedovaw-revaxited-xifulitafud.pdf
    • http://miami.momotombochocolatefactory.com/uploads/1/3/0/2/130289186/130289186.html#assassin%27s+creed+brotherhood+perfectionist+achievement+guide

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001487.bin
33bfc43b701cf51e0f6f58789432f7058ce5dccc704ecb747c13200960d85089		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1487 6788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.