Malicious PDF — malware analysis report

Static analysis result for SHA-256 78389ff773c686f3…

MALICIOUS

PDF

98.0 KB Authoring application: Nitro PDF
MD5: 48e7a97ddea319086bbd1749b27b3bdc SHA-1: a15cb009161cb4e513f8ef59193126e2c1e09cc4 SHA-256: 78389ff773c686f3b27347c4d9bc819924f3ba12d051524d1f1e8b021c089360
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links to other PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection also flag this file as malicious, specifically as a phishing or robot-install type. While no scripts were explicitly extracted, the nature of the embedded links suggests an attempt to redirect users to malicious content, potentially for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9503

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sierrasun.ca/uploads/1/3/0/8/130814176/bamep-tapakovenokivo.pdf
    • http://mollysteinwald.org/uploads/1/3/0/6/130603692/nanekakapa.pdf
    • http://sayvoz.com/uploads/1/3/0/5/130590413/zixivepudemi.pdf
    • http://tiv.strongysha.xyz/uploads/2020/01/28/899d172.pdf
    • http://spotsbay.com/uploads/1/3/0/5/130545475/3455311.pdf
    • http://acouturelife.com/uploads/1/3/0/4/130483337/130483337.html#surah+yasin+arab+full
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000f9e8.bin
6667886db57fc148748d68306acfa2f18ba2737187fb5cef4cb47b6d3ef711b5		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF9E8 32260 bytes
font_00_sfnt_off0000ec9a.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEC9A 1708 bytes
font_02_sfnt_off000131c7.bin
da791fa10ac4ea2f6546f3c2ef1da81a1ef02136ba70a98827d296decf8fb2b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x131C7 8692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.