Malicious PDF — malware analysis report

Static analysis result for SHA-256 733c643ddaa08668…

MALICIOUS

PDF

38.6 KB Authoring application: QPDF
MD5: 434108088f36a3c6be322124e8a4f9b7 SHA-1: 70c1932b3e45adf1ea64de8fd2b5fa3066edf777 SHA-256: 733c643ddaa086682a818a2088cb11791f3e66c3161e4eb613e7bf12bb8b9ad6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or traffic redirection purpose. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fullforcepersonaltraining.com/uploads/1/3/0/4/130436272/e5583.pdf
    • http://life-starcoaching.com/uploads/1/3/0/6/130639139/pilogisupak_suduvudebu_zuvuduvazatazas.pdf
    • http://partylimolosangeles.com/uploads/1/3/0/5/130590592/676daa1d5b55.pdf
    • http://studio16george.com/uploads/1/3/0/8/130873899/rozoziguxaguxow.pdf
    • http://triosreadydentallaboratory.com/uploads/1/3/0/5/130588272/vofesuwi.pdf
    • http://www.stgilespres.com/uploads/1/3/0/4/130476738/6495701.pdf
    • http://mmshop.club/uploads/1/3/0/8/130874110/tekadobuwimanuvabim.pdf
    • http://hamandhistoire.com/uploads/1/3/0/4/130489833/dunizoxezanu.pdf
    • http://flyers4free.com/uploads/1/3/0/5/130550716/f9752f3b2896c.pdf
    • http://thecheck.in/uploads/1/3/0/5/130588457/ramilogexo.pdf
    • http://www.mkwritingsolutions.co.uk/uploads/1/3/0/6/130604111/rinebuponeku.pdf
    • http://skywarnforum.com/uploads/1/3/0/6/130639549/ziguwesogusawi_xikogazof.pdf
    • http://dgelectricinc.com/uploads/1/3/0/5/130589454/fedatimujesofovenape.pdf
    • http://gregdrews.com/uploads/1/3/0/7/130776104/kulefukaw.pdf
    • http://turningcancerintolaughter.com/uploads/1/3/0/5/130539672/4845754.pdf
    • http://nowphotobooths.com/uploads/1/3/0/7/130775690/8632b702e31efe3.pdf
    • http://belgiumdiamondlab.com/uploads/1/3/0/7/130775557/8a9caa5e0a.pdf
    • http://moonlight.gffgrow.org/uploads/1/3/0/4/130483583/danud.pdf
    • http://burlesquepodcasts.com/uploads/1/3/0/6/130639472/6470088.pdf
    • http://www.ksc313.org.uk/uploads/1/3/0/9/130969980/kububaka.pdf
    • http://29.bpmtc.com/uploads/1/3/0/6/130604702/130604702.html#noun+verb+adjective+adverb+pronoun+list

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002b35.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B35 1708 bytes
font_01_sfnt_off0000365c.bin
2cc558854d16da30ffee5bbeaf8f29798a376c9e6c67eb6c7c5c27b517c828e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x365C 8080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.