Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d518c543771d696…

MALICIOUS

PDF

46.0 KB Authoring application: pstoedit
MD5: 966c86072168a184dc24804ee3892071 SHA-1: f7115b14c54b330d95f3d19cd7dbaf17f064a5c1 SHA-256: 6d518c543771d696f8f42b30fff9733a1ddfbf83cef31da8ff9c2c74e7f6b22c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this file as malicious, with ClamAV specifically identifying it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body is heavily obfuscated and appears to be a lure related to 'Acr guidelines rheumatoid arthritis pdf', but the primary malicious activity is the mass linking to external PDF resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kresscreative.com/uploads/1/3/0/9/130969525/262410062868a8.pdf
    • http://www.ultimateattainment.com/uploads/1/3/0/4/130490221/fumebutetuzagoxi.pdf
    • http://www.heidifasteraune.com/uploads/1/3/0/5/130550972/jufuba_dabatojo_vapunem_molasopub.pdf
    • http://www.speedcubing101.com/uploads/1/3/0/7/130776712/winadebamuwu-mimuzifugonifa.pdf
    • http://webdisk.morningstartraders.com/uploads/1/3/0/5/130590383/lovodokow_ninubupazeloki_sibojama.pdf
    • http://mountainxllc.com/uploads/1/3/0/6/130622002/b236e274cac19.pdf
    • http://afsanehkhoramshahi.com/uploads/1/3/0/6/130604740/ziditifowifes.pdf
    • http://jessicazuk.com/uploads/1/3/0/6/130639199/5136339.pdf
    • http://mta-sts.chameliramachandran.com/uploads/1/3/0/6/130640235/634446.pdf
    • http://thatitguru.com/uploads/1/3/0/4/130490488/newokis_gavunur.pdf
    • http://mta-sts.mx.petitenadirah.com/uploads/1/3/0/9/130969750/rezenewuxupid.pdf
    • http://mystparanormal.com/uploads/1/3/0/7/130740522/37c564b.pdf
    • http://scouttroop79.com/uploads/1/3/0/4/130488810/jepiriwifijelad_faxoxilivasipa.pdf
    • http://otcdl.brdge.org/uploads/1/3/0/7/130775865/130775865.html#acr+guidelines+rheumatoid+arthritis+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004e7a.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E7A 2600 bytes
font_01_sfnt_off00005a40.bin
7068cc3f2435a38ee373fc7f820d09fa5ba12f19bb1987467756998b090b368a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A40 8328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.