Malicious PDF — malware analysis report

Static analysis result for SHA-256 6b984dc86b90a5c7…

MALICIOUS

PDF

31.7 KB Authoring application: Adobe PDF Library 9.0
MD5: 4b35777e2214e69ab594567bae71db73 SHA-1: 7bec75afe08b81628e08a634706720e561d1d9a3 SHA-256: 6b984dc86b90a5c73950b3a92845e745eb43df18b19b45db497700adc7e391ed
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of embedded links to external PDF files, a technique commonly used for SEO poisoning or distributing malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier's high confidence score indicate malicious intent. The embedded URLs likely serve as a mechanism to redirect users to malicious sites or download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dovegesu.marveldc.ru/uploads/2020/01/27/bugawoxewikoke_xiximotaregir_pirikakija.pdf
    • http://mojamaxob.olegdfr.fr/uploads/2020/01/28/4869986.pdf
    • http://rockyrunafterschool.com/uploads/1/3/0/5/130588850/2918925.pdf
    • http://zix.mumi-dol.ru/uploads/2020/01/27/6737091.pdf
    • http://volelaz.storeforevery.com/uploads/2020/01/27/502a46e.pdf
    • http://lria.org/uploads/1/3/0/6/130604422/jonopiti.pdf
    • http://biz.in-op.fun/uploads/2020/01/28/3822260.pdf
    • http://gaketo.nikulin-ildar.ru/uploads/2020/01/27/142f255b4aaadee.pdf
    • http://climatetelling.org/uploads/1/3/0/3/130379316/jigakexelojuzofa.pdf
    • https://vawirogogulop.weebly.com/uploads/1/3/0/5/130547969/9742116.pdf
    • http://pkosinski.com/uploads/1/3/0/3/130379205/8980340.pdf
    • http://suzanneensmann.com/uploads/1/3/0/4/130436058/130436058.html#download+song+skumbin+ismaili+free+m

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001231.bin
de29e158e47f39ab978c1f4af72a8875de912b7664bd314014303690ddb30e7a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1231 7588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.