Malicious PDF — malware analysis report

Static analysis result for SHA-256 8579ec33be137a7e…

MALICIOUS

PDF

42.0 KB Authoring application: Pdftk
MD5: b9b4581abf3b1cbd7fe4773592759226 SHA-1: abff93cdef45c6362c785faac532148eb3edca07 SHA-256: 8579ec33be137a7ef25765457f19dfb0286b3abb1f72b13d3320cf7560257711
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of embedded links to other PDF files hosted on various domains. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass external PDF link farm, suggesting a coordinated effort to generate traffic or distribute malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or SEO spam.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://claudiasclassroom.com/uploads/1/3/0/6/130621301/ruluwadin.pdf
    • http://lawnservicewintergarden.net/uploads/1/3/0/4/130478295/xarepi-rifiwik-babamo-gipusunewuma.pdf
    • http://theorotic.com/uploads/1/3/0/5/130588343/dalero.pdf
    • http://rockymountainhighimages.com/uploads/1/3/0/5/130548192/5a110cce3959f.pdf
    • http://cheshiregrimm.net/uploads/1/3/0/5/130540897/eee8531f3a688cc.pdf
    • http://linkedthruleonard.com/uploads/1/3/0/2/130289466/3431913.pdf
    • http://mentorpreschools.com/uploads/1/3/0/6/130622012/finar.pdf
    • http://premierbeachfl.com/uploads/1/3/0/6/130639098/dopigedijojurux_pezadoxawoziwon_newelegizujazum.pdf
    • http://cxmockup.com/uploads/1/3/0/3/130323422/1681748.pdf
    • http://seedovation.org/uploads/1/3/0/2/130271098/guxawused_sazumarovowidi.pdf
    • http://corvuspress.net/uploads/1/3/0/3/130379074/bizema-tikulavomo-mapidegobojeni-mabibawidi.pdf
    • http://antiviruseprotectserviceonline.site/uploads/1/3/0/6/130604006/130604006.html#autocad+lt+2020+tutorial
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001474.bin
318cc9204cf1006c29a9ba7ce5adeb530128c0f935ae05291bce0624c5f7a926		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1474 8308 bytes
font_01_sfnt_off000061ef.bin
330b332b073374ae16d8d1a0dfb09bb1c5a7818b517863e0f0bde8dd185f2795		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61EF 6436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.