Malicious PDF — malware analysis report

Static analysis result for SHA-256 74ff4b629bbea14b…

MALICIOUS

PDF

43.9 KB Authoring application: Pdftk
MD5: baeb0f172a6d5a016a7f862515c07d3d SHA-1: ffadca956be4a442de27a17ee39ed8cba39cb8f0 SHA-256: 74ff4b629bbea14b76269c8639a0adaea6db88c3bb21f9fd98c05ec57737f6d4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to numerous PDF files hosted on various domains, suggesting a link farm or content distribution network. The ML classifier and ClamAV also flagged this file as malicious, with ClamAV identifying it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://silentlyfallen.org/uploads/1/3/0/5/130542909/zononefunilaw_mibod_toxamidipot.pdf
    • http://boringsidney.com/uploads/1/3/0/7/130775447/8cdd03.pdf
    • http://www.eclectic-shamanism.com/uploads/1/3/0/4/130483869/ffe3c62.pdf
    • http://www.curasano-france.fr/uploads/1/3/0/3/130380037/4477645.pdf
    • http://my36dates.com/uploads/1/3/0/7/130739553/xagifojuwifokagu.pdf
    • http://latecritic.com/uploads/1/3/0/5/130551013/tovabewonet.pdf
    • http://adventureswithrocks.com/uploads/1/3/0/7/130740217/e10fc.pdf
    • http://calmpubhouse.com/uploads/1/3/0/8/130874671/bavumadowotota_rurefube_xexoxifolakofer.pdf
    • http://ncbcg.org/uploads/1/3/0/6/130621376/puroluvobubikit_tubonosixav_dexidipof.pdf
    • http://stayprotected.org/uploads/1/3/0/4/130494636/laniguxemo.pdf
    • http://omeganaturals.ca/uploads/1/3/0/2/130270937/siminif_pulejetidisatuz_wekunap.pdf
    • http://eyefinitymockpractice2.com/uploads/1/3/0/7/130775280/1938765.pdf
    • http://campmarymount.org/uploads/1/3/0/8/130813934/3460859.pdf
    • http://acandleaffairbyangela.com/uploads/1/3/0/5/130588503/wizuwagowebel-wobape.pdf
    • http://rudeburns.com/uploads/1/3/0/6/130639409/9357570.pdf
    • http://walkonconsulting.com/uploads/1/3/0/4/130483153/cb53a434594c.pdf
    • http://jennajeslis.com/uploads/1/3/0/6/130639315/3066376.pdf
    • http://westboro-apts.ca/uploads/1/3/0/2/130289363/mixajuzozixuf.pdf
    • http://theludditepress.com/uploads/1/3/0/4/130476703/6758987.pdf
    • http://thromboprophylaxis.org/uploads/1/3/0/7/130775341/ce4be0830f280b.pdf
    • http://projectdreamport.mobi/uploads/1/3/0/4/130435670/3316762.pdf
    • http://readysetgrowpreschooldaycare.com/uploads/1/3/0/3/130313188/d3d4e666c39fed.pdf
    • http://adeletreasures.com/uploads/1/3/0/3/130323271/3104633.pdf
    • http://canvasmcgill.ca/uploads/1/3/0/3/130313284/7111378.pdf
    • http://hb9uksyu.brdge.org/uploads/1/3/0/5/130588751/130588751.html#examples+of+sales+action+plan

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000049e0.bin
b6f52843ee918fa151fc8b6ba9f33670559a051ab16f435a94375bc8ba45f8bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x49E0 7472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.