Malicious PDF — malware analysis report

Static analysis result for SHA-256 775524e19e3a6919…

MALICIOUS

PDF

46.6 KB Authoring application: PDF Studio
MD5: 3961f05a9219ada6572680fc3993321c SHA-1: 391c912581504c20d4bdaf05945096fccb0b953f SHA-256: 775524e19e3a6919fd80aabbde1204b476feec2cbc935b8745da2ff7b16017ed
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ML classifiers and ClamAV, specifically flagged as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded external links, indicating a link farm or redirection strategy. The document body, though partially corrupted, contains references to 'Ableton live techno kick' and lists numerous URLs, reinforcing the link farm heuristic. The primary attack pattern involves leveraging these links to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kepler-associates.com/uploads/1/3/0/5/130550911/fatiwerekugilo-xukotek.pdf
    • http://nightowlsoulclubs.com/uploads/1/3/0/4/130483736/regejotunuwoxaw_ruxejoj_kikereretam_dedigafewulas.pdf
    • http://atticrodentbarriersystemsonline.com/uploads/1/3/0/5/130588796/xefoguzar.pdf
    • http://neverreacttohate.com/uploads/1/3/0/7/130738615/bc7e0.pdf
    • http://donthesitate.org/uploads/1/3/0/7/130775679/55a21.pdf
    • http://arcofbrowncounty.org/uploads/1/3/0/5/130588987/685393fd5.pdf
    • http://okpins.net/uploads/1/3/0/3/130379314/10c67830daceac5.pdf
    • http://newstylemarket.com/uploads/1/3/0/4/130477192/130477192.html#ableton+live+techno+kick

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011b5.bin
49d849cde84413936deec90db5f0989b77cc311227fd075d360d7c02892b3863		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B5 8524 bytes
font_01_sfnt_off00006e91.bin
24a7a6556eda39284f851ac864b7820e2e5d8aca495471231feec09de10f728b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E91 2084 bytes
font_02_sfnt_off0000777a.bin
2426a9c07f2a6036b46793765129bf94179e66b1cebbe7f7a37f5f40bc0a5d35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x777A 4288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.