Malicious PDF — malware analysis report

Static analysis result for SHA-256 6eebaaf96839603f…

MALICIOUS

PDF

52.4 KB Authoring application: PDF Studio
MD5: 20de8a3b0637e93671d30a2830bf3779 SHA-1: 17139ca3eec6b4a12ebfd3ec0e0a9bcb59da7f94 SHA-256: 6eebaaf96839603f9e3d851dbb0e65f7493b56f505afc031411d7f0fcf9ffcc2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also indicate maliciousness, specifically classifying it as 'Pdf.Phishing.TtraffRobotInstall'. The embedded URLs are likely used to distribute further malicious content or for SEO spamming purposes. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://myforexleague.com/uploads/1/3/0/5/130550774/mapupuzuwigepor.pdf
    • http://roanokewomensmarch.org/uploads/1/3/0/5/130551266/namulemamizinowo.pdf
    • http://yufeihsu.com/uploads/1/3/0/5/130539251/fiketiwis.pdf
    • http://hostmaster.pipart.com.au/uploads/1/3/0/5/130546244/2a9780e4427.pdf
    • http://alovida.com/uploads/1/3/0/7/130775784/jutagegi-gimolanes-welisap.pdf
    • http://mapist.net/uploads/1/3/0/8/130874655/galokitomut.pdf
    • http://insuranceseguros.com/uploads/1/3/0/8/130813973/lafer.pdf
    • http://moringamaster.life/uploads/1/3/0/4/130489132/sukevasam.pdf
    • http://servicepartnervanderveenassen.nl/uploads/1/3/0/7/130776724/4084985.pdf
    • http://floydfx.com/uploads/1/3/0/4/130476340/jixufidewul.pdf
    • http://tessamuse.net/uploads/1/3/0/7/130739567/jukedonutez.pdf
    • http://staplesseniorbenefits.com/uploads/1/3/0/5/130588822/471924.pdf
    • http://avatarbiotechnologies.com/uploads/1/3/0/7/130775503/a461c0b35.pdf
    • http://chronopaths.com/uploads/1/3/0/6/130621998/544db.pdf
    • http://electriciannorthsydney.com.au/uploads/1/3/0/6/130603888/zewexafutegamo-wekoxusodipatex-ledojanopa.pdf
    • http://timmas.space/uploads/1/3/0/6/130639398/51251670a1bc11.pdf
    • http://deliciousnessinyourmouth.org/uploads/1/3/0/4/130436006/130436006.html#kebaikan+sistem+demokrasi+berparlimen+di+malaysia

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000144e.bin
767411386010f1d5c70dcbe052f77ec880d9acde08b69af3a0cd141eed56be8a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x144E 7676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.