Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f0519f8dcaf6d59…

MALICIOUS

PDF

77.4 KB Authoring application: Soda PDF
MD5: c17c76889601a516388b69b8716e27e4 SHA-1: 0bff9e4c077dffc5145249daf4da691b0c68eab2 SHA-256: 6f0519f8dcaf6d59971d2138f43bc7c5a4adeae7bbe0ebbc64b11c50e6103701
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass external link farm, with many links pointing to other PDF files hosted on suspicious domains. The document body text is obfuscated and contains references to 'Myosin function in muscle contraction' as a lure. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fademudom.weebly.com/uploads/1/3/0/6/130604902/9c0e557b65f1306.pdf
    • http://theharmonyeducation.com/uploads/1/3/0/5/130545884/ralam_muxikun_gatulapasup.pdf
    • http://psychedaboutschool.com/uploads/1/3/0/3/130323266/sofiforukukesotiku.pdf
    • http://breakingruleswritingcompetitions.com/uploads/1/3/0/2/130272081/jikomavimugip.pdf
    • http://masterlibrary-staging.com/uploads/1/3/0/3/130323674/8449397.pdf
    • http://mysoundcollective.com/uploads/1/3/0/5/130551962/130551962.html#myosin+function+in+muscle+contraction
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011e5.bin
f201b290756adb873cacf77b6928b945e42f1e23fe6681408324d444563e0b5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E5 9504 bytes
font_01_sfnt_off00005de7.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DE7 16036 bytes
font_02_sfnt_off000071fe.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71FE 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.