Malicious PDF — malware analysis report

Static analysis result for SHA-256 72b8a4f1f730b0a1…

MALICIOUS

PDF

79.2 KB Authoring application: Poppler-utils
MD5: 40195da527c060c96b668065edf7dd10 SHA-1: 42943f31e78fe9fb365e00b5c85205a8b81e32ca SHA-256: 72b8a4f1f730b0a18f52ced57c1fd7a17b151173d6075a29f782a12cfb4bfa5d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The primary attack pattern observed is a link farm containing 28 external PDF URLs, suggesting a tactic to manipulate search engine results or distribute further malicious content. No scripts were extracted, but the embedded URLs are the highest priority IOCs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://101taiwantour.com/uploads/1/3/0/2/130288479/507a39942365c.pdf
    • https://goxomutovitemo.weebly.com/uploads/1/3/0/4/130476101/8b5967f.pdf
    • http://cabuildingdecarb.org/uploads/1/3/0/2/130287394/4026645.pdf
    • http://mr-spa.co.uk/uploads/1/3/0/6/130620154/7103983.pdf
    • http://mindfullyliving.net/uploads/1/3/0/2/130288364/wiminurugi.pdf
    • http://dtailspetboutiquespa.com/uploads/1/3/0/2/130289722/bolonokupaseta.pdf
    • http://milwaukeesfavoritedj.com/uploads/1/3/0/6/130621475/5849298.pdf
    • http://cincyfirstladiesforhealth.org/uploads/1/3/0/5/130588570/zinuribezejapeki.pdf
    • http://visvertier.com/uploads/1/3/0/4/130489029/54aae9f494f488b.pdf
    • http://jmalawntech.com/uploads/1/3/0/6/130604231/zuwanujazigozo_wuferifiluvupet_fezizig_vujutumowo.pdf
    • http://datow.finresult.com/uploads/2020/01/28/5fd90f139f6.pdf
    • http://market-voice.ru/uploads/2020/01/27/gajexuv.pdf
    • http://lockyrkk.xyz/uploads/2020/01/28/soralosazo-gunoraxak.pdf
    • http://unipolgroupfitness.com/uploads/1/3/0/6/130639780/vitunolopilu-lajof-wagisu-buboxomezorib.pdf
    • http://policetrailer.com/uploads/1/3/0/6/130605074/130605074.html#whatsapp+para+blackberry+q10+apk
    • http://linux.thai.net/projects/fonts-tlwg
    • http://www.thaitux.info
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_008_off0000e106.bin
45242c8bd4045f49dcafa0b4bbabb479e7182d256e82ccc377c69ed445494560		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xE106 21564 bytes
font_00_sfnt_off0000178d.bin
f3e1bdcc95b63d3ab26d49331a0f04cfa506140036eb0db17508ccf7b63637d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x178D 13008 bytes
font_01_sfnt_off00007b2d.bin
03742b3af56d0894ab5df65dc3134d6d1f1537ecfbbc759efc3d5c9763d8381a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B2D 6908 bytes
font_02_sfnt_off000090ed.bin
bbd465158f88620f6b89bbc14fd4053a393fda34b464cf5d9625b9580ee6f51f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90ED 10240 bytes
font_03_sfnt_off0000a6b8.bin
868a07a666c5032a714f2e4aaba4b67d05df30d312a0dd626753a432c02aa9de		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA6B8 8480 bytes
font_04_sfnt_off0000bd06.bin
99c5193cfd8c036c1ae011c773f5a8e9b9247b36e3e6dc2fbfbefde82fa9f0cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBD06 8400 bytes
font_05_sfnt_off0000d387.bin
4c93801c4768b9cf34ec960e4f85d683fdbe353adcc5a9e70f9f8b41c5e92470		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD387 3508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.