Malicious PDF — malware analysis report

Static analysis result for SHA-256 9029823cb914f912…

MALICIOUS

PDF

39.8 KB Authoring application: pstoedit
MD5: ea2da59f4f3e3c490024225b35367550 SHA-1: 2c1e7e4c8c059e97188e071e12f5d5adcfb87313 SHA-256: 9029823cb914f9129e9a18714b8cb4e31a9aa316b8cf22471b847d4c3b9a942f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a phishing or SEO spamming attack. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing intent. No scripts were extracted from this sample, but the embedded URLs are the primary indicators of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shalanjoudry.com/uploads/1/3/0/7/130776350/5542374.pdf
    • http://lisascheick.com/uploads/1/3/0/3/130313156/kaxot-matizuf-rulilekijugif.pdf
    • http://lutherjames.net/uploads/1/3/0/2/130289426/fibesiturewamaz_xegegajuguxasan_puxusot.pdf
    • http://mhwilleke.net/uploads/1/3/0/5/130550848/2610570.pdf
    • http://provantage.club/uploads/1/3/0/6/130605069/niliduludanim.pdf
    • http://badgirlwisdom.com/uploads/1/3/0/8/130874240/093ab.pdf
    • http://dannysindustrialworkwear.com.au/uploads/1/3/0/5/130589240/26fccc.pdf
    • http://www.solfege101.com/uploads/1/3/0/5/130590054/2cc32fce.pdf
    • http://w4him.com/uploads/1/3/0/5/130539072/sevikoxujowo.pdf
    • http://redvelvetbaking.co.uk/uploads/1/3/0/7/130776385/zerogumazirelamug.pdf
    • http://northportleadership.com/uploads/1/3/0/5/130589144/7a7b7.pdf
    • http://www.colossalsecurityindustry.com/uploads/1/3/0/3/130313220/vitomilojanevejuroz.pdf
    • http://cyber1risk.com/uploads/1/3/0/5/130551417/sifawufadififuju.pdf
    • http://www.grittreasures.com/uploads/1/3/0/6/130621603/wupudosuxujaz.pdf
    • http://qkt6r.bpmtc.com/uploads/1/3/0/3/130379167/130379167.html#aashto+t236+pdf
    • http://www.colossalsecurityindustry.com/uploads/1/3/0/3/130313220/vitomilojanevejur

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004207.bin
514bb1dfea711d38242b78107cb60f57d2899f720bf76775986dc8a3cc34aad9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4207 8044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.