Malicious PDF — malware analysis report

Static analysis result for SHA-256 7231e5255100ef13…

MALICIOUS

PDF

58.1 KB Authoring application: PDFBox
MD5: 35951ecbac4864b30c0a6188929993a2 SHA-1: af5cba5ac320b9c7145dc09b66f64a4ba678a950 SHA-256: 7231e5255100ef131195ae182884e8f24c8efd73f124b29b9e2146944093b582
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. ClamAV also detected this as Pdf.Phishing.TtraffRobotInstall, suggesting a phishing or malicious redirection intent. The document body itself is heavily obfuscated and contains references to the linked URLs, reinforcing the idea that the primary purpose is to direct users to external, potentially malicious, content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://posabo.vetrics.ru/uploads/2020/01/28/ledexolomuroz_lirugekitebaxo.pdf
    • http://ninaschjeide.net/uploads/1/3/0/4/130435821/furobep_lovafojogusuk_xalijiwubujuwiv_xepiketakune.pdf
    • http://111-pod.site/uploads/1/3/0/5/130545043/poziper_bofizebope_vabobesog.pdf
    • http://aluckyhorseshoe.com/uploads/1/3/0/5/130545827/2491257.pdf
    • http://moretonislandfishingcharters.com/uploads/1/3/0/5/130540699/rixejiw.pdf
    • http://nswminiaturepony.com.au/uploads/1/3/0/6/130621392/renewumoz_gelagimo_febuturubogozu_jasudilo.pdf
    • http://jenn4judge.com/uploads/1/3/0/3/130323407/togapiwupebanari.pdf
    • http://meshayla.com/uploads/1/3/0/5/130543665/130543665.html#sex+and+chopsticks+ii
    • http://linux.thai.net/projects/fonts-tlwg
    • http://www.thaitux.info
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000125d.bin
869f90fb915504bcb3a65b0593d1669c3655cfb6c13112979f6a0a6cbc6388a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125D 9260 bytes
font_01_sfnt_off00004d76.bin
598b436daaf3d122157f8aae4d95cb5f98998d7541b527c84c982bd0659a624f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D76 16888 bytes
font_02_sfnt_off000065a8.bin
7241b40c363548c1b38fc59c10bbaabf9f3d92e3c32c88d159f9a1b17b3ad3f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65A8 16048 bytes
font_03_sfnt_off00008a4f.bin
db1833ed97c4ba811235a8ec13c8c2787dd2bf504f014727a069b86df5d3a89b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A4F 12904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.