Malicious PDF — malware analysis report

Static analysis result for SHA-256 82e58690b7a6dec2…

MALICIOUS

PDF

41.1 KB Authoring application: Serif PagePlus
MD5: ca9ad1c9935b9ce78d2eddc4443ee3ac SHA-1: 4813aca9d8d82d415659fad3947756013c0e85e3 SHA-256: 82e58690b7a6dec230d9aa6aca0bebb354f8e0ae3883b8b8f7f8494356317224
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm pointing to numerous external PDF documents hosted on various domains. This behavior is indicative of a phishing or redirection scheme, aiming to lead users to potentially malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious intent. The embedded URLs are the primary IOCs for this attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://non-patentliterature.com/uploads/1/3/0/5/130588442/e8483b4104ec8.pdf
    • http://nuggets.space/uploads/1/3/0/5/130542996/5764338.pdf
    • http://ballantynesaferide.com/uploads/1/3/0/2/130289550/kidak.pdf
    • http://undiscoveredmuas.org/uploads/1/3/0/3/130323212/8393139.pdf
    • http://nyshuttleconcierge.com/uploads/1/3/0/4/130489386/mibusutaxivow_bowefoveduxopez_tamaletu_tukuba.pdf
    • http://persevere-gaston.com/uploads/1/3/0/7/130739980/xodudijetujowepedaxi.pdf
    • http://newperspectivemedical.com/uploads/1/3/0/7/130775831/130775831.html#skt+study+guide

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000116a.bin
08043bec4922f3aaceee4798068e2fc95350d6765ecd546fced63aee16da7a95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x116A 9156 bytes
font_01_sfnt_off00006639.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6639 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.