Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c490f6817cf7df9…

MALICIOUS

PDF

42.2 KB Authoring application: Adobe PDF Library 9.0
MD5: a0487f58824990aca02bb7efc0dc3acc SHA-1: 5f1cce9e4e0f8720c1f565169a46a6d301a20327 SHA-256: 6c490f6817cf7df9f27b8faefda6c2c3e386b78d1d276a6866a7e2363a8cbaf0
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple links to external PDF files, a technique often used to obscure malicious content or redirect users to phishing sites. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent. The embedded URLs likely serve as a lure to download further malicious content or lead to phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://getitgatorauto.com/uploads/1/3/0/2/130272458/e907e.pdf
    • http://steeltec.us/uploads/1/3/0/6/130621997/59a5eaee.pdf
    • http://kugamepufa.svet-christa.ru/uploads/2020/01/29/pezexures-jukewobifeva.pdf
    • http://visitoz.org/uploads/1/3/0/4/130483957/vufikivexerufat.pdf
    • http://safecitysecurity.com/uploads/1/3/0/7/130738537/3ae39f1a3578688.pdf
    • http://shoreexcursionspuertoplata.com/uploads/1/3/0/5/130551890/92eb2c95df727.pdf
    • http://xenuwep.service-ptauthentication.com/uploads/2020/01/28/c85eb72900eea.pdf
    • http://carrollcountydentistry.com/uploads/1/3/0/5/130589267/rizaxoriruj_zuzaduke_zesawivirov.pdf
    • http://1stgradetechnologylessons.weebly.com/uploads/1/3/0/2/130287269/faropomadalu-gejakomajepogis-nomapekuxafufe.pdf
    • http://cahabagrand.com/uploads/1/3/0/2/130271159/sezegob_xoxek_vizokam.pdf
    • http://battagliaresearchgroup.org/uploads/1/3/0/3/130323703/bd8df4.pdf
    • http://mybiohelp.com/uploads/1/3/0/4/130483801/texevamaxibarig.pdf
    • http://antiviruseprotectserviceonline.site/uploads/1/3/0/2/130271068/130271068.html#belimo+control+valve+manual

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013f0.bin
046dbbd95730712c84f6887af4650241427b342eec32e31393f90dc443e31e39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F0 8796 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.