Malicious PDF — malware analysis report

Static analysis result for SHA-256 7296ea44025a6b50…

MALICIOUS

PDF

42.3 KB Authoring application: Mobipocket Creator
MD5: dff05dcb3ac094f253810eff047aabf1 SHA-1: f58acf5fe5288498bb82ff590f2a9ef26d412b5f SHA-256: 7296ea44025a6b50fb2a5fa2f169f45f39197a39721b9e2652ccb495e1ca74cd
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, a common technique for SEO spam or distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. While no scripts were explicitly extracted, the PDF structure and the heuristic firings suggest it is designed to redirect users to a network of linked PDF documents.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eco2magnesia.com/uploads/1/3/0/2/130272384/cadc3a7e5.pdf
    • http://pchelpnsupport.com/uploads/1/3/0/6/130605278/womididevugefaza.pdf
    • http://www.thejugtree.com/uploads/1/3/0/4/130489467/5158449.pdf
    • http://www.gracefulpages.com/uploads/1/3/0/6/130622012/4282779.pdf
    • http://michelemartintaylor.com/uploads/1/3/0/6/130621214/2e7880f27ca9a08.pdf
    • http://celebrate-it.net/uploads/1/3/0/6/130621596/ea5f02.pdf
    • http://sparkmediasf.com/uploads/1/3/0/5/130544072/suvaroxaxikepol.pdf
    • http://www.opmetoc.com/uploads/1/3/0/8/130815437/977b418dcb86ff.pdf
    • http://sjnbasketball.org/uploads/1/3/0/7/130776401/c5fc1aa038.pdf
    • http://alexisborth.com/uploads/1/3/0/5/130545185/9545719.pdf
    • http://legacyteamchallenge.com/uploads/1/3/0/2/130273578/885e673e3.pdf
    • http://www.greenlitpictures.net/uploads/1/3/0/5/130539170/6503473.pdf
    • http://www.kadensblog.online/uploads/1/3/0/9/130969448/ragepofuvesofaw.pdf
    • http://cartelivision.net/uploads/1/3/0/7/130740026/jatexutuxadi.pdf
    • http://innermomologue.com/uploads/1/3/0/5/130550775/wenasusitetexudemego.pdf
    • http://proactivetherapies.com/uploads/1/3/0/3/130313641/1070134.pdf
    • http://www.alplus.de/uploads/1/3/0/3/130323622/vesosim.pdf
    • http://esperanzafarm.org/uploads/1/3/0/8/130814189/mavapowoneki-zebobopa.pdf
    • http://novellaproposals.com/uploads/1/3/0/5/130588584/fakalikigelime.pdf
    • http://moniquewgyoga.com/uploads/1/3/0/7/130776808/5531416.pdf
    • http://bakerstoves.com/uploads/1/3/0/6/130603696/nipali-bowujivonu-detonefa.pdf
    • http://adventshorts.com/uploads/1/3/0/7/130776447/1806574.pdf
    • http://moonrisefall.com/uploads/1/3/0/5/130541552/rexisowixipiw.pdf
    • http://fmmrz.brdge.org/uploads/1/3/0/6/130621053/130621053.html#accrual+basis+of+accounting+definition
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d1d.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D1D 16036 bytes
font_01_sfnt_off00004400.bin
2f5bf40cca67a3106e653194317a5f7604d61f764dc8fe03305847b731f71781		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4400 7532 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.