Malicious PDF — malware analysis report

Static analysis result for SHA-256 8820aaa72b1a0635…

MALICIOUS

PDF

40.5 KB Authoring application: Mobipocket Creator
MD5: a1694cca27d91e0b9241a767c9e2fe4e SHA-1: 191f8b49f763f060fdc34efe989f11fd38ecabdd SHA-256: 8820aaa72b1a063549b9e3a88113f6d8aac875cf7d85e0d59ec4ed4cb06e3fff
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document was flagged by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0 and a machine learning classifier. It contains a large number of embedded URLs pointing to other PDF files hosted on various domains, indicating a link farm or distribution mechanism. The primary purpose appears to be SEO manipulation or directing users to potentially malicious content hosted externally.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bughunters.eu/uploads/1/3/0/3/130323593/d9ac7e8cc.pdf
    • http://holyfamilylt.com/uploads/1/3/0/6/130604303/787919.pdf
    • http://prabhbroker.com/uploads/1/3/0/5/130542758/3426647.pdf
    • http://turkeycreekretrievers.com/uploads/1/3/0/5/130551962/6920408.pdf
    • http://adrianbyrdcounseling.com/uploads/1/3/0/4/130488294/6a630eb0b6d.pdf
    • http://nevadalawguide.com/uploads/1/3/0/7/130775589/devuvojibif_mazefojuzal.pdf
    • http://www.mgracetransitions.com/uploads/1/3/0/3/130313212/c9437cbfa.pdf
    • http://annalyzethat.com/uploads/1/3/0/4/130436519/xivomifopeg_bowoxex.pdf
    • http://basicwallpapers.com/uploads/1/3/0/2/130289333/nevonefifa.pdf
    • http://jasonrafferty.com/uploads/1/3/0/6/130639244/3673812.pdf
    • http://residencialnovotempo.net/uploads/1/3/0/6/130621058/3650122.pdf
    • http://budgetboutiquebeds.com/uploads/1/3/0/2/130288753/vosemovefuraje.pdf
    • http://noetrophyproperty.com/uploads/1/3/0/2/130274305/todidotaropumi.pdf
    • http://alexlashology.com/uploads/1/3/0/4/130483118/fca5b5b8facc4.pdf
    • http://rockstarsproductions.com/uploads/1/3/0/7/130776724/xemel_fizupepo_kupadoduboxo_lifiwijebep.pdf
    • http://micahandersonmfti.com/uploads/1/3/0/7/130776828/tokotof_wenine_firefimafivo.pdf
    • http://stockmi.com/uploads/1/3/0/4/130488694/dobojasiba.pdf
    • http://davidhoover.net/uploads/1/3/0/7/130738647/lixipuluxodu.pdf
    • http://pierrecyr.ca/uploads/1/3/0/4/130488091/5302100.pdf
    • http://danhixsonphotography.com/uploads/1/3/0/5/130551323/wowurizo.pdf
    • http://midshiftmedia.com/uploads/1/3/0/3/130323478/2542690.pdf
    • http://hostmaster.boultonsarenasandgallops.co.uk/uploads/1/3/0/7/130738909/5615086.pdf
    • http://brandtgalleries.com/uploads/1/3/0/6/130620547/zagufuvawuk.pdf
    • http://pdconnections.com/uploads/1/3/0/5/130589381/rololipa.pdf
    • http://tastydairy.club/uploads/1/3/0/3/130313091/zasixafe-leginudela-bixagat-nodasefe.pdf
    • http://host10.pleasingfood.com/uploads/1/3/0/9/130968962/130968962.html#natural+treatment+for+seizures+in+dogs

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003a2b.bin
8dd44b9e4fb5844c26c1070a5f0e6c8ea6fbf924b49420dfaf6c18ff98b54a08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A2B 7848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.