Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f10fe380428d464…

MALICIOUS

PDF

63.3 KB Authoring application: ImageMagick
MD5: 28c50e2552876bf9db206dd66d7ec8ae SHA-1: fe070a931d4c3dc2b7a93b41a8d740c85f1c4428 SHA-256: 7f10fe380428d464ba245c070e0d4423121a91538176cbe6be4298a86630e092
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of SEO poisoning or a phishing campaign designed to drive traffic to malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and traffic redirection nature of this file. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://youfightlikeannerice.com/uploads/1/3/0/5/130588318/aa5af4.pdf
    • http://myhealinghands.org.uk/uploads/1/3/0/7/130739651/dukuvab.pdf
    • http://neilredcliffe.com/uploads/1/3/0/7/130775002/vorasesajo-zogomosajil-lorifiwalinip-birepinopazo.pdf
    • http://www.outagainthefilm.com/uploads/1/3/0/7/130739781/362358.pdf
    • http://mighty.africa/uploads/1/3/0/2/130271153/retigotopezaju_monoz_lorobejura.pdf
    • http://ndlobmac.com/uploads/1/3/0/5/130589178/15629ddab.pdf
    • http://concretesanantoniotx.com/uploads/1/3/0/5/130539442/c0f0a20a08d898a.pdf
    • http://www.crossroadsumcanderson.org/uploads/1/3/0/7/130775632/fad0a05ec33bc3.pdf
    • http://wanderlust-travel.ca/uploads/1/3/0/5/130539416/bobifawowigavopat.pdf
    • http://sustainabilityconnections.co.uk/uploads/1/3/0/7/130775435/lopidila.pdf
    • http://superiorequineservice.com/uploads/1/3/0/7/130738797/954469da8c966.pdf
    • http://whiskeyinateapot.com/uploads/1/3/0/6/130620880/kesadurukalu-woromufefor-pulexenekara-ruzexofawaduket.pdf
    • http://ecofiture.org/uploads/1/3/0/6/130639068/bokefimefefanorezo.pdf
    • http://pick5swamiracing.com/uploads/1/3/0/2/130287500/dugusi.pdf
    • http://bucksnortnrun.com/uploads/1/3/0/6/130620819/sofomebopaz.pdf
    • http://revenuelist.com/uploads/1/3/0/7/130776754/xakulurofebom_wegujusi_muzedopawigul_bavikobanunibol.pdf
    • http://www.my143puyallup.com/uploads/1/3/0/8/130813586/detasiguvuwapuxodovi.pdf
    • http://74-123-77-252.mgwnet.com/uploads/1/3/0/6/130605230/130605230.html#parenteral+routes+of+drug+administration+ppt

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012da.bin
09854a9f5a44a933b69a080b7e341ce226715fb46d86426fcd6ac8394ce37840		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12DA 8288 bytes
font_01_sfnt_off0000a000.bin
a565ba89bdb458c3560b8c4c96aa0e3a7cd6487ae25ddfc3ee8c966181b66420		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA000 16068 bytes
font_02_sfnt_off0000b469.bin
708dcda0e8c82a62b47bcace295824f18a4676b753450c7071ac3147d0ef0540		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB469 3316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.