Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a8786902d32da16…

MALICIOUS

PDF

91.9 KB Authoring application: GIMP
MD5: 3ac2f561d7c41771e10319384a7cc5cf SHA-1: 946fc236eeed0d238746a74eb0311921ad62d752 SHA-256: 6a8786902d32da160b58de479a3b5ed71079b2802d6af36dc30f3f525ff38426
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links to other PDF files, many of which are hosted on disposable domains. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the heuristic 'PDF_SEO_LINK_FARM' strongly suggest a phishing or malicious redirection campaign. The document body, though heavily obfuscated, contains URLs that are likely part of this link farm, indicating an attempt to drive traffic to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9942

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://morehousehigh.weebly.com/uploads/1/3/0/2/130289430/4816429.pdf
    • http://maryleekemper.com/uploads/1/3/0/7/130739567/mivod.pdf
    • http://ndsportschannel.net/uploads/1/3/0/2/130288861/jimomamonopaw-niked-nebubazokogat-faselarid.pdf
    • http://visitcowan.org/uploads/1/3/0/5/130589444/tekajifo.pdf
    • http://trentriverdesigns.com/uploads/1/3/0/3/130323301/130323301.html#b+w+f+full+form
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010d1.bin
060121800777f5cea2e3b662a460fa78e0fdbe891f79ccb3f41feb67fd6cc99d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10D1 8476 bytes
font_01_sfnt_off0000ee11.bin
fb31025025499a0fb01c3c1bd89e32baf051e66ef536a35089523545b6160756		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE11 16248 bytes
font_02_sfnt_off000106f0.bin
9622898eda93030e798e42ddf21425d7def646e8d37d0b9ca2f72fe2479ad70d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106F0 20132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.