Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d717c219d185325…

MALICIOUS

PDF

38.4 KB Authoring application: PDF Studio
MD5: e42258dd64748f8a2d755fb2a147f0d2 SHA-1: 6db1338eb91ab00944fb3bf6fb768566708667d9 SHA-256: 8d717c219d185325049272aaecd3215edbb80df85536e3194948f5c4f47eb12b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted on various domains, indicating a link farm or redirection strategy. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and ML classification strongly supports maliciousness. The embedded URLs are the primary IOCs, suggesting a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://avadhaniestate.net/uploads/1/3/0/6/130605270/455c925291774.pdf
    • http://michlman.com/uploads/1/3/0/7/130776122/6139000.pdf
    • http://mta-sts.mail.tylerhaycox.net/uploads/1/3/0/3/130324270/50e941f7bc7a2ab.pdf
    • http://store.intertelek.com/uploads/1/3/0/5/130551058/5893271.pdf
    • http://internalalignment.net/uploads/1/3/0/7/130776085/5593250.pdf
    • http://www.designingmoments.com.au/uploads/1/3/0/5/130551836/pafasis.pdf
    • http://coordinator.co/uploads/1/3/0/4/130483928/2229397.pdf
    • http://hotty-toddy.net/uploads/1/3/0/5/130588407/jolunu.pdf
    • http://sqeda.com/uploads/1/3/0/5/130550949/2473162.pdf
    • http://www.archerassetmanagement.com/uploads/1/3/0/9/130970005/667535ddc.pdf
    • http://guitarhugs.com/uploads/1/3/0/2/130289019/bapevomelat.pdf
    • http://alexandraunderwood.com/uploads/1/3/0/5/130589449/6974152feb.pdf
    • http://diarimaresme.net/uploads/1/3/0/4/130476516/c2c738c.pdf
    • http://drinkresponsively.net/uploads/1/3/0/8/130873740/fenotix-lelojafag.pdf
    • http://epiccodingmusic.com/uploads/1/3/0/2/130291415/9190431.pdf
    • http://hayleywyliethurratartist.com/uploads/1/3/0/4/130476575/semozosoponozubu.pdf
    • http://advantageonellc.com/uploads/1/3/0/6/130620565/94030127a3c.pdf
    • http://haiyi-carriageinnsf.devsite-1.com/uploads/1/3/0/2/130272231/130272231.html#diet+to+prevent+high+uric+acid
    • http://internalalignment.net/uploads/1/3/0/7

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003a87.bin
e7ba3429509f4954b229a38feb40b7d039af566631d2929917181c9a108ba8ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A87 7700 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.