Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c6654f07da1f568…

MALICIOUS

PDF

39.5 KB Authoring application: Pdftk
MD5: 041d15b303c60a77aa4c71496b459a7c SHA-1: 1cf4571f282b8273ccc2ac30a4ffa21472bd1f0d SHA-256: 7c6654f07da1f568013e841a41c221f9729ad0e02beeb98b6f83a28c85d6d987
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links likely lead to further malicious content or phishing sites. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing or downloader type of malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://susanmastfund.org/uploads/1/3/0/5/130539465/68829.pdf
    • http://daygameinthebronx.com/uploads/1/3/0/6/130639368/mepuzagiralew.pdf
    • http://emilydelbridge.com/uploads/1/3/0/6/130620380/rugiva.pdf
    • http://debragoetz.com/uploads/1/3/0/5/130588806/e138d.pdf
    • http://timings.ca/uploads/1/3/0/7/130738969/mipopeg-busapejum-jetokakevi-zutametet.pdf
    • http://ankezimmermann.ca/uploads/1/3/0/3/130379231/lirugikadojamepoj.pdf
    • http://mirandapueyo.com/uploads/1/3/0/2/130289632/pikobeton.pdf
    • http://carsforfood.com/uploads/1/3/0/5/130588754/pipek-bizolano-tetesupaj.pdf
    • http://alchemywebdesign.ca/uploads/1/3/0/7/130739038/5365400.pdf
    • http://napervillecarpetclean.com/uploads/1/3/0/4/130435633/a7fd0d9bc7387.pdf
    • http://myrole.finance/uploads/1/3/0/6/130604287/b276319c0.pdf
    • http://nolaclay.com/uploads/1/3/0/8/130874377/130874377.html#professional+scrum+master+certification+exam+questions

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001303.bin
69cd1b66b120311b068c8bba17e40d1728e1535980398c4bfd4fd22fa5cbd311		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1303 8984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.