Malicious PDF — malware analysis report

Static analysis result for SHA-256 8986270fd3cb59c5…

MALICIOUS

PDF

40.1 KB Authoring application: Solid Converter PDF
MD5: 1dddeedf3a88e289c424ebd09dcee4a6 SHA-1: 45dd3c687e794098f35b2ae6bacfff0d2609ab17 SHA-256: 8986270fd3cb59c5a5fa19cbc6a3824062b92db4059f58ec230fdf7ef8f5eb05
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs pointing to other PDF files, indicating a link farm or distribution mechanism. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier's high confidence score further support malicious intent. The primary attack pattern involves directing users to a multitude of external PDF resources.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.ernestlinkconsultingltd.co.uk/uploads/1/3/0/7/130739629/0df320e1.pdf
    • http://lilyrm.net/uploads/1/3/0/6/130640174/kobetukup.pdf
    • http://pmcpaintingscom.com/uploads/1/3/0/6/130639539/nazuvoduwerig.pdf
    • http://royaloakbrewerschampionship.com/uploads/1/3/0/6/130639583/8657690.pdf
    • http://miracleinabucket.com/uploads/1/3/0/5/130588459/6574092.pdf
    • http://luelly.com/uploads/1/3/0/7/130776148/zutelu-jewekesororibud-pomuwe-votup.pdf
    • http://girlytwirl.com/uploads/1/3/0/5/130551684/fd7e0d.pdf
    • http://ministryiq.org/uploads/1/3/0/6/130603975/2348439.pdf
    • http://bestcapper.com/uploads/1/3/0/6/130604191/bajuwifavuxejejiv.pdf
    • http://hostmaster.hordlegardeningclub.co.uk/uploads/1/3/0/8/130874146/8605413.pdf
    • http://danishvillagekringle.com/uploads/1/3/0/3/130379362/junojutu.pdf
    • http://meyersmpg.com/uploads/1/3/0/4/130476322/0e16aa2f6072.pdf
    • http://tamaragazzard.com/uploads/1/3/0/8/130874211/3311561.pdf
    • http://monikagodsmark.com/uploads/1/3/0/7/130738740/1739798.pdf
    • http://redeemernewton.com/uploads/1/3/0/7/130740258/punasevapoxe-wufokiz.pdf
    • http://mail.lynnokimura.com/uploads/1/3/0/5/130588554/57c1c7ccf27e5b.pdf
    • http://sportsandfineartscenter1.com/uploads/1/3/0/4/130476204/7750475.pdf
    • http://tnbwebinar2018.com/uploads/1/3/0/4/130435561/salelagub.pdf
    • http://mundofeliz.es/uploads/1/3/0/6/130621195/munifonenuv.pdf
    • http://wickesinstitute.com/uploads/1/3/0/6/130620745/simozidimuxifudizova.pdf
    • http://lakewoodelementary.net/uploads/1/3/0/7/130739904/130739904.html#inverse+of+a+matrix+elementary+row+operations
    • http://miracleinabucket.com/uploads/1/3/0/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003ce4.bin
40c8e8ae76bd7ba2a8be5a09e8c597b2601806987a8bb9f567b39d1ba208d81b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CE4 7984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.