Malicious PDF — malware analysis report

Static analysis result for SHA-256 8636f578083a6c6f…

MALICIOUS

PDF

58.5 KB Authoring application: GIMP
MD5: 0ae88d3793697421d6d8465a87255fa9 SHA-1: 62563afe7adb143e2212e50854b22609adb339c6 SHA-256: 8636f578083a6c6f7b5cc62d8227ade59d2824afdfbfb7fb230b82a452203920
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique commonly used for SEO poisoning or to distribute malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent. The embedded URLs likely serve as lures to download further payloads or redirect to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://excelappdevelopment.com/uploads/1/3/0/5/130545189/ed6c1ea38b.pdf
    • http://tristamalexander.com/uploads/1/3/0/5/130589316/lasaliketa.pdf
    • http://phroztnet.net/uploads/1/3/0/4/130483799/kixijidin_vifokufozenite_xuwusubomuraw_tebukilizepofa.pdf
    • http://mike4congress.com/uploads/1/3/0/7/130739385/rijazofenipog_wojabimeno.pdf
    • http://sunrayvapors.net/uploads/1/3/0/6/130604588/korod.pdf
    • http://sonoratradingpost.net/uploads/1/3/0/5/130550803/lefajalowomaxefida.pdf
    • http://englishtheory.com/uploads/1/3/0/3/130324137/728f6918eadf.pdf
    • http://mentorherbizmembership.com/uploads/1/3/0/4/130483489/zidivelenoded_tutetuderimi_xutukolasuwu_fivutebofavam.pdf
    • http://therealmick.com/uploads/1/3/0/6/130621579/8928173.pdf
    • http://lickatoad.com/uploads/1/3/0/6/130605430/dunaxaxefopelu-jotig-fimen-gijozuxemaj.pdf
    • http://www.californiapureminerals.com/uploads/1/3/0/5/130544635/130544635.html#haemoglobin+estimation+127+g%2Fl

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000ed4.bin
b369d0164f1089ea10a880034a5420ca737512756d9669a243dd74881ea70b14		 pdf-font-stream PDF embedded font (sfnt) at offset 0xED4 8308 bytes
font_01_sfnt_off00008e13.bin
1a31ae148aa4af7763392fe954e924425a92485837aa085ee7fbb165703794ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E13 2636 bytes
font_02_sfnt_off000096c2.bin
ddc6c38a5929b263b215a5b0c7aa8b1a409f146866f06980111f9f21a6232bf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x96C2 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.