Malicious PDF — malware analysis report

Static analysis result for SHA-256 7515907a01de5683…

MALICIOUS

PDF

30.6 KB Authoring application: Poppler-utils
MD5: 868b9ded248b9f44480bbfd829baf488 SHA-1: c91c3cdfe569831c51184ecd626245895ab1b258 SHA-256: 7515907a01de56833b1580934623d8fbeb8e302950fdd21a2f3494c349a7d761
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute malicious content. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or malicious redirection attempt. The document body, while containing garbled text, also repeats the phrase 'CLICK HERE TO SHOW YOUR SONG' and includes URLs that are likely part of this lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wwidbq.com/uploads/1/3/0/6/130605212/kadajutedin_sipuzulodu_pogofegexem.pdf
    • http://ark47.com/uploads/1/3/0/6/130639141/4425792.pdf
    • http://alanmaps.com/uploads/1/3/0/4/130488387/5160033.pdf
    • http://gomriz.com/uploads/1/3/0/7/130775294/130775294.html#bass+song++in+masstamilan
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f6a.bin
d7f455b4aef93f545c28d62f054fa0189a111254c764440625b7add73963c22c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF6A 7884 bytes
font_01_sfnt_off00003b98.bin
9eb636cd4935c244d710877cd27f5863e7475c0c7afe2e0e81477ef8bb920394		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B98 2816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.