Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d9e781978f75147…

MALICIOUS

PDF

40.6 KB Authoring application: Nitro PDF
MD5: a0c17a7e5ef02b62d128b0a83ef12181 SHA-1: 8c3c43098bfcd5d14a8b7d16c3619599f49a1ab6 SHA-256: 6d9e781978f75147baf425aed0685cfb60921ca498c736a92aba92561008af4f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to redirect users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. While no scripts were extracted, the PDF structure and embedded URLs suggest a phishing or content-luring attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://steamsa.org/uploads/1/3/0/5/130539099/2a97c40.pdf
    • http://luckybookpress.org/uploads/1/3/0/6/130604287/4766327.pdf
    • http://bobandjeff.com/uploads/1/3/0/7/130740363/c54845b6c95.pdf
    • http://theshootersedge.us/uploads/1/3/0/6/130620389/6259582.pdf
    • http://webdisk.zoetendalwinefarm.co.za/uploads/1/3/0/5/130543568/2639189.pdf
    • http://corenetworkcre.com/uploads/1/3/0/7/130775675/4911547.pdf
    • http://amidlifesentence.us/uploads/1/3/0/6/130620280/tiridetusilosago.pdf
    • http://pct4career.com/uploads/1/3/0/3/130313005/5a8350256fe825.pdf
    • http://newstreetsolutions.com/uploads/1/3/0/6/130621105/4301602.pdf
    • http://parkpacapartments.com/uploads/1/3/0/5/130539637/6646224.pdf
    • http://usedtruckcanopies.com/uploads/1/3/0/3/130313746/dezamumogobotal-fitanavuxeto-binuwi-sowazazeduwet.pdf
    • http://jmdreamvacations.voyagerwebsites.com/uploads/1/3/0/7/130776211/130776211.html#ascii+table+code+page+1256
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000029ff.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29FF 16204 bytes
font_01_sfnt_off000041e3.bin
415ee254f4088f6c84a9065edb97b294f643473e0408e74fe96ff7c413f8cdc2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41E3 9988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.