Malicious PDF — malware analysis report

Static analysis result for SHA-256 95b31355e06eea10…

MALICIOUS

PDF

42.2 KB Authoring application: Adobe PDF Library 9.0
MD5: a15c79c56fd17202fb09ba42127f12fc SHA-1: 17ca8196f571e9d9c0a082be387ea93771b06764 SHA-256: 95b31355e06eea10c49b760c8fd5b4c3743831593d6f026eb82fe20c8e6362b5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs are the primary IOCs, pointing to a link farm likely designed to distribute malware or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://leighravenbitch.com/uploads/1/3/0/3/130323449/pebupiju.pdf
    • http://julietlambert.com/uploads/1/3/0/7/130739974/sedelesexofodunudi.pdf
    • http://sacequine.com/uploads/1/3/0/2/130287808/mizidukus-lokaf-gudoso-wowipop.pdf
    • http://thetri-fectagroup.com/uploads/1/3/0/4/130488312/milabudiba_nafaxolexutege.pdf
    • http://ourkidsyourkids.org/uploads/1/3/0/6/130621193/fanomuzoxupenul_xedavixadano.pdf
    • http://nzacres2019.nz/uploads/1/3/0/4/130436173/3e5a9ab.pdf
    • http://autosafenow.com/uploads/1/3/0/7/130739375/f172d22fb57008.pdf
    • http://midcoastconsult.com/uploads/1/3/0/3/130323733/wuwemofozebeluv.pdf
    • http://leadinlife.press/uploads/1/3/0/7/130739117/tosujabomezar.pdf
    • http://virtualpriest.org/uploads/1/3/0/5/130539818/e198334f0fe7b3.pdf
    • http://millennialtraveleats.com/uploads/1/3/0/6/130639781/sazesigubejuti-lonoleje.pdf
    • http://delliefure.co.uk/uploads/1/3/0/7/130776891/wisepizato_toxowa_lulubapot.pdf
    • http://americanbeachranking.com/uploads/1/3/0/8/130874325/52552b769.pdf
    • http://bringmorehappy.com/uploads/1/3/0/5/130550743/8b39056fdf4aef1.pdf
    • http://www.thecraftfoundationtrust.com/uploads/1/3/0/5/130539654/jogolivixobejogoxufu.pdf
    • http://mpowerempire.com/uploads/1/3/0/4/130488500/2e925648964.pdf
    • http://peoplesbooks.us/uploads/1/3/0/6/130640239/130640239.html#reading+answers+of+biological+control+of+pests
    • http://www.thecraftfoundationtrus

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000316a.bin
0f23141ba94d37b49c53016ac63a9b008a6ac8e4c4656a8d80e6725f77750189		 pdf-font-stream PDF embedded font (sfnt) at offset 0x316A 16140 bytes
font_01_sfnt_off0000490d.bin
08e109de403f7dd69f76da39d4a746e0d4aeb4513f32e419a5e332eb367bd011		 pdf-font-stream PDF embedded font (sfnt) at offset 0x490D 7936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.