Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f324f8b28047501…

MALICIOUS

PDF

47.3 KB Authoring application: pstoedit
MD5: 128273115d648bd256857a2d6613eeb5 SHA-1: 1dc17a7439a2511425239da6855d7262f24c85bf SHA-256: 6f324f8b280475014e1255cef6809de31d3e18150cb38e785ae018f6a0d2ce77
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file exhibits characteristics of a phishing or spam campaign, as indicated by the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier's high confidence. The presence of a large number of external PDF links, many with numeric slugs, strongly suggests a link farm or SEO manipulation tactic. While no scripts were explicitly extracted, the PDF structure and embedded URLs point towards a malicious intent, likely to redirect users to further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moorereplacements.net/uploads/1/3/0/3/130313086/rotibagisozup.pdf
    • http://mew3mew.studio/uploads/1/3/0/4/130477979/punexorotuw.pdf
    • http://wimaumamatters.com/uploads/1/3/0/2/130291724/ec6953165.pdf
    • http://nerdendo.com/uploads/1/3/0/5/130550756/a2d7c1.pdf
    • http://nebraskafarmdog.net/uploads/1/3/0/3/130323286/63619e05f8ed.pdf
    • http://marriagecelebranthilaryvaneldik.com/uploads/1/3/0/6/130605228/0df7211c5847d75.pdf
    • http://nicoleolsthoorn.com/uploads/1/3/0/5/130543168/sepemigem-bisebe-susuvivepelasax.pdf
    • http://nathallybastos.com/uploads/1/3/0/2/130289532/2397404.pdf
    • http://xeg.shadowbiz.ru/uploads/2020/01/29/f9e24cc3.pdf
    • http://armadilloescapes.com/uploads/1/3/0/3/130379461/c3e1aa4570ba.pdf
    • http://momsofzion.com/uploads/1/3/0/2/130287284/1d9946eed0fa6.pdf
    • https://penogerodumuzav.weebly.com/uploads/1/3/0/2/130289411/luxefagojoziz.pdf
    • http://carterskennel.com/uploads/1/3/0/3/130323914/zoxalipavovo.pdf
    • http://zinokifin.landysheva.ru/uploads/2020/01/29/novezebejuker.pdf
    • http://datacenterdan.com/uploads/1/3/0/4/130476917/kebijuw_gutejes_taviwenevu.pdf
    • http://aufgutdeutsch.net/uploads/1/3/0/3/130379824/vikonu.pdf
    • http://reddoorcmgroup.com/uploads/1/3/0/5/130539797/4f97e8.pdf
    • http://naxego.avtosvet24.ru/uploads/2020/01/28/dfa3f232.pdf
    • http://bitforlife.ru/uploads/2020/01/29/volixetorobodivivo.pdf
    • http://amdlifestylemgmt.com/uploads/1/3/0/6/130639980/remexilozow.pdf
    • http://mhrandlenovels.com/uploads/1/3/0/6/130605161/130605161.html#simple+bookcase+plans+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015e9.bin
4c72571418892da07f9d41d3ee506e5073a9a122e1f53f9ad80693b3e44d581f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15E9 8664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.