Malicious PDF — malware analysis report

Static analysis result for SHA-256 81adda7a2178088c…

MALICIOUS

PDF

42.1 KB Authoring application: Inkscape
MD5: aeb278bda56ba938fb78003fa6464632 SHA-1: 22d52dcd1f86b0bbc1e5f3ba10212bb739a3dc6a SHA-256: 81adda7a2178088cb23b04c595cc344a967e922b3373a4ee40074cd9fc557696
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a link farm of external PDF files, suggesting a phishing or scam attempt to redirect users to malicious content. The presence of a 'download button' heuristic further supports this, indicating a lure to download potentially harmful files. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' strongly indicates a phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bulever.store/uploads/1/3/0/5/130550869/1573856.pdf
    • http://plumasrentals.com/uploads/1/3/0/4/130436125/zazexabop.pdf
    • http://stellarosemarywalling.com/uploads/1/3/0/8/130814601/7002251.pdf
    • http://teamgls.com/uploads/1/3/0/6/130620936/7256179.pdf
    • http://www.incloseup.com/uploads/1/3/0/4/130435520/a04005c682bba2.pdf
    • http://xbee.info/uploads/1/3/0/2/130288589/4556837.pdf
    • http://myflicktv.com/uploads/1/3/0/5/130589246/5e53c.pdf
    • http://10iramistakes.com/uploads/1/3/0/4/130488415/terizoxuvuf.pdf
    • http://swwoodwaste.com/uploads/1/3/0/2/130272994/4485607.pdf
    • http://tungemmy.store/uploads/1/3/0/2/130289773/7fd94ef6fe8.pdf
    • http://marikacleaningservice.com/uploads/1/3/0/5/130550868/130550868.html#microsoft+flight+simulator+x+helicopter+controls

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004cf5.bin
1f8f4f3538f6bb3fc952037797e8a3e6eeaf115a0f55becf4d9c15c3cdb62e38		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4CF5 8780 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.