Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f99ed1c1a537664…

MALICIOUS

PDF

31.8 KB Authoring application: Adobe PDF Library 9.0
MD5: 5e02d5d4d9c16da1d269286b9340ace9 SHA-1: be7d92ff040e67cf1b851f1427afa7a17df61619 SHA-256: 7f99ed1c1a537664abdcf255ff05aa1c44c3cb1760e3a700f4bc0062b6db242c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm of 22 external PDF links, many of which are hosted on compromised websites and appear to be part of a phishing or malware distribution scheme. The document body text, though heavily obfuscated, mentions downloading Adobe Audition with a crack, suggesting a lure for users seeking pirated software. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.tetracapital.net/uploads/1/3/0/3/130323187/gajigo.pdf
    • http://motorshare.org/uploads/1/3/0/7/130775610/241080786c7415d.pdf
    • http://endoscopecabinet.com/uploads/1/3/0/7/130775831/zomodaf.pdf
    • http://docucenterinc.com/uploads/1/3/0/5/130551064/rixamab.pdf
    • http://mail.ickfordpreschool.com/uploads/1/3/0/8/130814066/d35c86bb.pdf
    • http://oneabovecataract.net/uploads/1/3/0/4/130435755/votajo.pdf
    • http://windycitycleaningsolutions.com/uploads/1/3/0/8/130873820/651ee34133.pdf
    • http://taranakitimebank.nz/uploads/1/3/0/2/130291910/4002907.pdf
    • http://cbifoto.com/uploads/1/3/0/7/130775116/6533765.pdf
    • http://mspokrantsband.ca/uploads/1/3/0/5/130550948/5121028.pdf
    • http://justincollard.bio/uploads/1/3/0/5/130539768/1913443.pdf
    • http://66wtnr.salon225.com/uploads/1/3/0/4/130483634/130483634.html#descargar+adobe+audition+1.5+gratis+mas+crack

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000024f9.bin
94f569f8d8880d5460fc4eb124bb84efdfe99975fc56e0f2ed2e89a5ed7c8940		 pdf-font-stream PDF embedded font (sfnt) at offset 0x24F9 8476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.