Malicious PDF — malware analysis report

Static analysis result for SHA-256 8ff0a1409b40685e…

MALICIOUS

PDF

40.1 KB Authoring application: PDFedit
MD5: bd110869a830c0c1f9c13b00bc1ae9e3 SHA-1: d2910cacc6f522a06a2c6a9c512e3fda4152ebf0 SHA-256: 8ff0a1409b40685ebcc1d06d5808c8cfcfff0905afecdd09822ad0d611893328
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various PDF files hosted on different domains. This is indicative of a link farm or redirection scheme, often used to distribute malware or conduct phishing. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent related to phishing or traffic redirection. The document body, though heavily obfuscated, contains URLs that are also present in the extracted URL list, reinforcing the link farm attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://richardson-community-psychology.com/uploads/1/3/0/4/130490078/sirakupilepume.pdf
    • http://curranttech.co/uploads/1/3/0/6/130639419/golegola.pdf
    • https://sogefigelo.weebly.com/uploads/1/3/0/4/130436450/cecb8900cd3.pdf
    • http://mivaxa.vrkuzbass.online/uploads/2020/01/27/4314133.pdf
    • http://detoxdigitalbrasil.com/uploads/1/3/0/6/130621570/zirezekemomo_kedepivutewaf_xeduvupuvin.pdf
    • http://hiinvitational.com/uploads/1/3/0/6/130604200/nupap_wodugakel_rujomezodojudi.pdf
    • http://healthcaremanager.net/uploads/1/3/0/5/130544384/fepileku.pdf
    • http://buddy-burner.com/uploads/1/3/0/2/130289655/mowazig.pdf
    • http://nashobavalleyextractco.com/uploads/1/3/0/5/130551162/130551162.html#free+after+effects+intro+templates

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001259.bin
49212d3ee9c82a3b6b7513b90d79801b1a8060c6b6f11f24b3e2a2df03c5703a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1259 8768 bytes
font_01_sfnt_off000055f1.bin
58338a7627063af129b4d44d007be1c51a456220dbe5c5ae2b68102140835bfa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55F1 16096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.