Malicious PDF — malware analysis report

Static analysis result for SHA-256 7ded8a34b1b8fd91…

MALICIOUS

PDF

48.5 KB Authoring application: PDFBox
MD5: fb5e737d4636b8212449e2d050417abd SHA-1: af7396b35330ead7471d7683eeaeea98a387b28e SHA-256: 7ded8a34b1b8fd91639ce1435340291c8525fc54494b5d9311997d99d767857e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and an ML classifier also flagged it with high confidence. No scripts were extracted, but the extensive link farm suggests a phishing or redirection attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://allencabinetshop.com/uploads/1/3/0/7/130739023/pefol.pdf
    • http://www.longhorncaverns.us/uploads/1/3/0/2/130273582/neleselukukigoguxeva.pdf
    • http://buswell.ca/uploads/1/3/0/6/130639624/lozajonesad.pdf
    • http://www.futureplastics.net/uploads/1/3/0/6/130605186/2510912.pdf
    • http://auzmoki.com/uploads/1/3/0/2/130289467/godalusomi_gabizuwado.pdf
    • http://veryrio.com/uploads/1/3/0/4/130476458/kusowubagowosa.pdf
    • http://cajudgeselect.org/uploads/1/3/0/6/130603887/maluferij_xejoki.pdf
    • http://collectivekick.com/uploads/1/3/0/6/130604531/327ce69645964c.pdf
    • http://mcwheely.net/uploads/1/3/0/6/130604117/jedaxanajirul_tixoteruluz.pdf
    • http://home.facto.pro/uploads/1/3/0/3/130323471/1bff3bd32.pdf
    • http://myonlinefashionmary.com/uploads/1/3/0/2/130289243/tekumulig.pdf
    • http://perfect-right.com/uploads/1/3/0/6/130605120/dd723a704d6.pdf
    • http://howmuchtrip.com/uploads/1/3/0/5/130588575/71613169.pdf
    • http://pinkysgotpurses.com/uploads/1/3/0/6/130621467/legifa.pdf
    • http://drainetfissures.com/uploads/1/3/0/4/130435679/dawanilotetuwu_sekinubov.pdf
    • http://www.content.red2green.org/uploads/1/3/0/7/130739662/miduxitak.pdf
    • http://dolack.org/uploads/1/3/0/8/130815303/04cf6cf3087.pdf
    • http://ncexchangeclub.com/uploads/1/3/0/4/130435787/bf26dd0f1a613.pdf
    • http://barbsplacehome.com/uploads/1/3/0/5/130544230/rafalemevalipuz.pdf
    • http://74-123-72-67.mgwnet.com/uploads/1/3/0/5/130588928/130588928.html#wilcoxon+rank+sum+test+p+value+table
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003c29.bin
df5efbd9f539e0d3dc767554fbaab5991a9d69fd3343e08a3c9d199245486688		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C29 16064 bytes
font_01_sfnt_off00005089.bin
45876a76eb067477b588cb0527201ccd9db5651530fe4bfc279a4f6e0d1f1c64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5089 3124 bytes
font_02_sfnt_off00005e1c.bin
34f9cf3af422f447347624b3c697fa82b29079dfb37be0e681b641a6488016af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E1C 8280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.