Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ac17c4492c56619…

MALICIOUS

PDF

32.8 KB Authoring application: Pdftk
MD5: b85afc1995f5eefae63b6ffec0e1be3f SHA-1: 7f84e580c578b3cc6dc517c23e7caf29d1f930bc SHA-256: 7ac17c4492c566191d2195ac4957d3ff9d2de596f29cbd7947bde8dda58bca65
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a critical 'PDF_SEO_LINK_FARM' rule. This indicates the document is designed to lure users into clicking on a large number of embedded links. The ML classifier also assigned a high probability of maliciousness. The embedded URLs point to various domains, suggesting a broad phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mission3075.org/uploads/1/3/0/5/130544147/9949793.pdf
    • http://bhelandscaping.com/uploads/1/3/0/5/130551067/c5fcd3b1.pdf
    • http://saintjohnsmilton.org/uploads/1/3/0/6/130640220/99597540e.pdf
    • http://ncstoragebarns.com/uploads/1/3/0/6/130605179/molisozufiw.pdf
    • http://cajarycapital.com/uploads/1/3/0/2/130289235/pibixukapemefeve.pdf
    • http://jonahlisatoc.com/uploads/1/3/0/4/130476395/gikaderu.pdf
    • http://metitazuw.sevilya-barselona.online/uploads/2020/01/29/f1270184.pdf
    • http://pokuzuxanu.sadad-eh.icu/uploads/2020/01/28/xurofifozofifokag.pdf
    • http://taso.master-byta.ru/uploads/2020/01/27/1045961.pdf
    • http://writtencom.com/uploads/1/3/0/5/130588731/2428414.pdf
    • http://dramallamaranch.com/uploads/1/3/0/3/130323896/42a71c30ed288.pdf
    • http://jejed.gost-stroy.com/uploads/2020/01/29/b32c344393933f8.pdf
    • http://giki.forten.pw/uploads/2020/01/27/xolife_samudubawot.pdf
    • http://myfiestaofeight.com/uploads/1/3/0/5/130588769/130588769.html#word+label+template+avery+8366

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001332.bin
57fda3c6a06b673c9a26731ac82fce54cf01861d656eabd532a74dc75179ae95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1332 8564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.