Malicious PDF — malware analysis report

Static analysis result for SHA-256 7cf2ec1a7a6d3e60…

MALICIOUS

PDF

98.3 KB Authoring application: Mobipocket Creator
MD5: 36d570d476c39d25f57f14b688208414 SHA-1: 743d5495c3ade5707fab80e715123c63c4dfcd44 SHA-256: 7cf2ec1a7a6d3e60bad79fa800eb6e05d7fe08e957dd99c55f45f4ed2ca36c2a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF_SEO_LINK_FARM heuristic indicates the presence of a large number of external links, suggesting a link farm or redirection mechanism. The ML classifier and ClamAV detection confirm the malicious nature of the file. The embedded URLs are likely used to direct users to malicious content or further stages of an attack. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9955

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nu9empire.com/uploads/1/3/0/5/130546118/30df49.pdf
    • http://brianabrahamactor.com/uploads/1/3/0/4/130488812/3398044.pdf
    • http://moodage.net/uploads/1/3/0/2/130289577/vadur.pdf
    • http://mymoneyways.com/uploads/1/3/0/8/130813557/zirojivuzaroxex.pdf
    • http://watlingst.com/uploads/1/3/0/4/130483239/4120346.pdf
    • http://webmail.cantatrice.ca/uploads/1/3/0/3/130324241/jikijusetuvepiv.pdf
    • http://oscarsterte.com/uploads/1/3/0/4/130493476/72e90270abbe97.pdf
    • http://harperharred.com/uploads/1/3/0/6/130639348/4707b75cd0c95c.pdf
    • http://divinelove.ca/uploads/1/3/0/6/130640164/rafekovajisek_gomakidigov_vurasiguwo.pdf
    • http://www.janetgay-counselling.uk/uploads/1/3/0/7/130740213/vefavanilikez.pdf
    • http://www.piute-high-school.com/uploads/1/3/0/5/130589198/351112.pdf
    • http://purplestore.net/uploads/1/3/0/6/130621610/79abd07a78f.pdf
    • http://www.lawsexfineliterature.com/uploads/1/3/0/4/130489131/4474337.pdf
    • http://host3.carmichaelnl.com/uploads/1/3/0/4/130483852/130483852.html#east+facing+house+vastu+tips+in+tamil
    • http://oscarsterte.com/uploads/1/3/0

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000026a7.bin
d3dee83c98689bebaa190301cb375cd3bcb243d100f21e897253f9bb85c9398e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x26A7 9164 bytes
font_01_sfnt_off0000e627.bin
f2b284127ac0aaaab410adaa023c48540a05f5b9ab6e38c40ba88021377eadf5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE627 4556 bytes
font_02_sfnt_off0000f56b.bin
7c203bf3f048399bd0bfcc2b6b9ad0f43ee48e73dfdb55a8ce32a3df1aa4ec1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF56B 4772 bytes
font_03_sfnt_off0001044f.bin
5234743bdcbacc7b5fb5ba8b37fc4a52523753677715d366b5c16a5aa9a80f4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1044F 17000 bytes
font_04_sfnt_off00011c2b.bin
ea3dc1d1c6b158f51805120729441ddc4412905df9da1f241f53e5f5a0cbb6e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C2B 1844 bytes
font_05_sfnt_off0001252f.bin
f636ae314f95f4f1b04f06cfa8c0ce088a2f4d626de80eac625906acce678eb3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1252F 7712 bytes
font_06_sfnt_off0001397d.bin
cfec225636dbb7c7f198cd8d10dab75ff2cfe5e452a7a3c0e2e95b6ee1197075		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1397D 8892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.