PDF malware analysis — malicious · 71a27987ade3e6ac

MALICIOUS

PDF

86.6 KB Authoring application: Soda PDF

MD5: 60727f1cabf977093735a5479a549619 SHA-1: c80107304d0266439b11b2ff361ad54b3cc51cc1 SHA-256: 71a27987ade3e6accf1c3dbd9703b2410107a5e36c7efb06df0be6fe5039027d

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO spam or to distribute further malicious content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or traffic redirection purpose. While no scripts were directly extracted, the PDF structure and embedded URLs suggest an attempt to redirect users to potentially harmful content.

Machine Learning

Nyx PDF Classifier malicious score 0.9993

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://mbplanning.net/uploads/1/3/0/7/130740266/xomunikowosetuje.pdf
- http://galactagon.com/uploads/1/3/0/6/130604626/150546.pdf
- http://woohoothings.com/uploads/1/3/0/3/130379408/7653679.pdf
- http://c1r.us/uploads/1/3/0/2/130291623/c5fc55e479.pdf
- http://www.sunflower-sweets.com/uploads/1/3/0/6/130620971/5513221.pdf
- http://jonnyzero.net/uploads/1/3/0/5/130589114/ee0517d4e3.pdf
- http://www.suchesfarmersmarket.com/uploads/1/3/0/4/130435839/jorolojujulepif-falejiwupu.pdf
- http://alicewilliamson.co.uk/uploads/1/3/0/8/130874121/kisapumoresozet_sofepodak_wawejebajuwa.pdf
- http://soharrell.com/uploads/1/3/0/2/130288630/bf816b799aded.pdf
- http://alohastudionh.com/uploads/1/3/0/5/130546885/5424853.pdf
- http://alyecollection.com/uploads/1/3/0/7/130739343/vobedigikopesoro.pdf
- http://nytenterprise.com/uploads/1/3/0/8/130873736/4571095.pdf
- http://thietkecanhquan.org/uploads/1/3/0/3/130379227/rolebo_kavimuv_sizixagus.pdf
- http://bearvsbaby.com/uploads/1/3/0/7/130739316/naxumusu-xusamarin-kukexijamo.pdf
- http://wesanne.com/uploads/1/3/0/5/130590672/5063477.pdf
- http://vt0.net/uploads/1/3/0/7/130740349/belagi.pdf
- http://passerprojects.com/uploads/1/3/0/7/130775092/9190614.pdf
- http://babygirlsbakery.com/uploads/1/3/0/6/130620296/vabat.pdf
- http://mercyministrystl.org/uploads/1/3/0/2/130288486/xematomerofavuw-zifizonorotole-vavelekoxi.pdf
- http://jobsholic.com/uploads/1/3/0/6/130621187/5538943.pdf
- http://downsouthbait.com/uploads/1/3/0/5/130551876/8017896c.pdf
- http://bpacontractorsme.com/uploads/1/3/0/2/130271206/503496.pdf
- http://northvanmucisacademy.com/uploads/1/3/0/5/130539223/jimipoxixuzikitofi.pdf
- http://vytalmovementdance.com/uploads/1/3/0/6/130605179/ruwavu.pdf
- http://74-123-78-125.mgwnet.com/uploads/1/3/0/8/130873867/130873867.html#clastic+sedimentary+rocks+vs+chemical
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000542e.bin` `1336299c9767aa266bba3178f21027a3fd6cacb7ef4649d3a71fc180d2947448`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x542E	9000 bytes
`font_01_sfnt_off00010ee4.bin` `7452b6b49b2d67df973eecb7580c7a2fe344bf55d7b957b3ade50b6969c50269`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x10EE4	16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.