Malicious PDF — malware analysis report

Static analysis result for SHA-256 7131ea7804bec94d…

MALICIOUS

PDF

41.7 KB Authoring application: SWFTools
MD5: 262fcde572d51e9fb9ca47cb1584136e SHA-1: a4dd06ebdab8b5d2a3299a7af280e0314daea6c9 SHA-256: 7131ea7804bec94da4a2c23facdb812507c46260afb3483c27be1d171014b439
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute malicious content. ClamAV detected this file as Pdf.Phishing.TtraffRobotInstall-7605656-0, and an ML classifier also flagged it as malicious. The embedded URLs suggest a phishing or content distribution attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gibbsfin.com/uploads/1/3/0/3/130323163/sotige-ferij-japabaz-fuzapejasik.pdf
    • http://jasonseto.com/uploads/1/3/0/2/130272892/wakokik.pdf
    • http://beyondbeautymedical.com/uploads/1/3/0/6/130639895/jupolefu-batajufozez-dokovimizi-nipadusomasanod.pdf
    • http://www.newburycbclub.com/uploads/1/3/0/6/130604165/474353f4ed3.pdf
    • http://walkiesnairn.co.uk/uploads/1/3/0/7/130739793/zadajotofejuleg_sidomew.pdf
    • http://ncmetalbuildingsdirect.com/uploads/1/3/0/3/130379294/5988526.pdf
    • http://essentialpleasure.com/uploads/1/3/0/7/130775198/d8b86e5f1c05.pdf
    • http://potenc-man.space/uploads/1/3/0/2/130272282/tilagovadatebur.pdf
    • http://qijidaoyin.net/uploads/1/3/0/5/130539046/lemawazu-ronobubazojiju-denejezi-rigejo.pdf
    • http://easthamptoncoffeemill.com/uploads/1/3/0/6/130621703/04e61d1.pdf
    • http://onitscore.com/uploads/1/3/0/7/130776269/5061579.pdf
    • http://raycelamb.com/uploads/1/3/0/6/130620272/wotebalirezogav.pdf
    • http://flbenthos.org/uploads/1/3/0/5/130551086/d1a642a34dc90.pdf
    • http://designlayoutservices.com/uploads/1/3/0/3/130323335/5005104.pdf
    • http://charmgurl.com/uploads/1/3/0/6/130605472/184913.pdf
    • http://bonniesminiaturedolls.com/uploads/1/3/0/8/130874059/8628195.pdf
    • http://alternativerealitycbd.com/uploads/1/3/0/5/130550712/2127550.pdf
    • http://themavins.net/uploads/1/3/0/2/130288380/suwur.pdf
    • http://buythebirdseed.com/uploads/1/3/0/6/130639503/kovutusiba.pdf
    • http://stagesphere.com/uploads/1/3/0/7/130775510/xevinobizu.pdf
    • http://mogulmeadows.org/uploads/1/3/0/7/130740607/b1b7c5d5.pdf
    • http://mycityadd.com/uploads/1/3/0/6/130620811/luvibadadu_fuxalorepu_laditoxu_zisozazubawod.pdf
    • http://ambtcex.com/uploads/1/3/0/3/130379427/130379427.html#how+to+skip+mission+in+gta+san+andreas+pc+game

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000358d.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x358D 1708 bytes
font_01_sfnt_off000040b4.bin
f78e5c7b11f0229763133c4ceb1edc12222ab6fa413d1b64ba7d6e762de0cca8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40B4 8232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.