Malicious PDF — malware analysis report

Static analysis result for SHA-256 770e2956b2a10da9…

MALICIOUS

PDF

32.6 KB Authoring application: pstoedit
MD5: 3026c1ed1086f16140b742aaaf0d3651 SHA-1: 936e65f3ea0378e0a54e9504410f8c17de4b89a6 SHA-256: 770e2956b2a10da9eeb247049e9f6a14846cb4e2c95c05f4409d8a1889fda8da
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded URLs, indicating a link farm designed to redirect users to malicious content. The ClamAV detection and ML classifier strongly suggest malicious intent, specifically identified as phishing. The document body, though corrupted, contains references to Adobe Premiere Pro tutorials and URLs, suggesting a lure to download further malicious PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dentalmesaaz.com/uploads/1/3/0/8/130814063/4766261.pdf
    • http://authortonjamurphy.com/uploads/1/3/0/4/130436163/249be.pdf
    • http://0to100.ca/uploads/1/3/0/2/130289524/pukukaz.pdf
    • http://halcyon-down.com/uploads/1/3/0/7/130738984/2204896.pdf
    • http://functionallyfitbycarolyn.com/uploads/1/3/0/4/130488198/db1a7d96fb6.pdf
    • http://webdisk.coprimag.com/uploads/1/3/0/6/130603890/4bf1893a.pdf
    • http://lcdhh.org/uploads/1/3/0/7/130739001/3b39c35393b6b93.pdf
    • http://brianoconnell.org/uploads/1/3/0/5/130551330/5577471.pdf
    • http://www.mymalloryenglish218.com/uploads/1/3/0/2/130287488/7418913.pdf
    • http://www.thewinterpark100.com/uploads/1/3/0/6/130621024/jaguxiwapamajivirav.pdf
    • http://soque.net/uploads/1/3/0/5/130539034/likidavanikoki.pdf
    • http://hostmaster.yektaeren.co.uk/uploads/1/3/0/3/130379113/govexifa.pdf
    • http://kidztokidz.org/uploads/1/3/0/7/130738637/wopokigusanejoxukure.pdf
    • http://6000hudson.com/uploads/1/3/0/2/130289244/poxizomozeri_zonaxemupol_tebizoluvizati.pdf
    • http://artisanmadegemstones.com/uploads/1/3/0/4/130483863/ximuvufijak.pdf
    • http://woodbridgenjplumbers.com/uploads/1/3/0/8/130874408/goduwubelazuna.pdf
    • http://aireenp.com/uploads/1/3/0/2/130289392/gixaxaz_dunud_vijewupevabu_vakuvason.pdf
    • http://fightchronicle.com/uploads/1/3/0/3/130323187/8179c2f.pdf
    • http://brightnaidu.com/uploads/1/3/0/5/130550901/44f7c351298.pdf
    • http://feralpictures.com/uploads/1/3/0/2/130291545/pizoluv.pdf
    • http://www.dclatinonews.com/uploads/1/3/0/2/130274024/ruragiva_fexifaro_wezotafenen.pdf
    • http://coachfro.com/uploads/1/3/0/5/130544132/zutifimi_bapifatowupix_liziwinasejipit.pdf
    • http://indoorqualityaircody.com/uploads/1/3/0/5/130590208/130590208.html#adobe+premiere+pro+cs6+video+tutorial
    • http://coachfro.com/uploads/1/3/0/5/1305441

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001fa6.bin
99f4905fb8588e1d4e99e708db32e184aac3cc3eefbf06d672676c28822d4e63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FA6 7128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.