Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c49877837805e36…

MALICIOUS

PDF

48.1 KB Authoring application: SWFTools
MD5: 25a4c2fe669a4f18c52d5c2a80655aae SHA-1: 585e7ffe6c0a478480a276ed0ee442ddc518d14a SHA-256: 6c49877837805e3642f4c1c8812db1308feb9b89c416de0c98395ca2864f6e44
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also strongly suggest malicious intent. The embedded URLs likely lead to further malicious content or phishing pages, and the document body's garbled text does not provide clear instructions but hints at a lure. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stm233.com/uploads/1/3/0/3/130379342/kejupifijor.pdf
    • http://talaldaoud.com/uploads/1/3/0/5/130550847/tivevefekemizan.pdf
    • http://akihiroyasui.com/uploads/1/3/0/6/130605120/49c0ab4b4.pdf
    • http://apkzebra.com/uploads/1/3/0/6/130603728/9737935.pdf
    • http://kx3financial.com/uploads/1/3/0/4/130436451/jizozorowagip.pdf
    • http://ecogourmande.com/uploads/1/3/0/6/130639636/juleki.pdf
    • http://boisevalleytreetrimming.com/uploads/1/3/0/6/130621613/mavevebe.pdf
    • http://advancedspeedtechnologies.com/uploads/1/3/0/4/130436236/2b4bc3.pdf
    • http://adoptme.info/uploads/1/3/0/2/130291783/130291783.html#believe+eminem+song
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000118c.bin
f147700f12b2de6f6f2523831672c4986510b7e2bb14e622e355ae2178e1c0b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x118C 9180 bytes
font_01_sfnt_off00006c4c.bin
378288d3133907284a1dd708aec606fa45674349f7e67e9eaedc79a8f6af9139		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C4C 16228 bytes
font_02_sfnt_off00008141.bin
82790b4c0df171071a627e5a556edd51d5736eb1e56c0e306af724931cb9ba32		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8141 1948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.