Malicious PDF — malware analysis report

Static analysis result for SHA-256 978144f0015db65a…

MALICIOUS

PDF

34.2 KB Authoring application: Mobipocket Creator
MD5: cce071415f8f3d2d4f7350712be7f6fb SHA-1: 74e26a5f3c633db2eed90bdcbed9454ade23bd86 SHA-256: 978144f0015db65ae91b462174656820eda248b7d783aaeefe6e9e079f13fe29
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for malicious content, as flagged by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection further support its malicious nature. No scripts were extracted, and the document body was truncated, limiting further analysis of specific payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.saxoninsuranceservices.com/uploads/1/3/0/6/130639342/rolirubidow_nonet_jenomijupew.pdf
    • http://marketingsuite-community.com/uploads/1/3/0/6/130620861/wojorajud_muxulebelog_ripogukil_bosoro.pdf
    • http://katrinadasilvaart.com/uploads/1/3/0/6/130621457/e97df23e17ff22.pdf
    • http://buildonedesign.org/uploads/1/3/0/6/130605240/5505503.pdf
    • http://cfstephenville.com/uploads/1/3/0/7/130776561/b22ecf2.pdf
    • http://photolenka.com/uploads/1/3/0/5/130546136/9dfbbf89f9.pdf
    • http://retired.blue/uploads/1/3/0/6/130603882/7092429.pdf
    • http://wearethepack.com/uploads/1/3/0/6/130621322/duxoto.pdf
    • http://www.cox-wedding.rominastiebenphotography.com/uploads/1/3/0/8/130813649/649f9dcc158e.pdf
    • http://acmehempcompany.com/uploads/1/3/0/4/130489143/bidotot_matetexokakax.pdf
    • http://goodmorninghomes.ca/uploads/1/3/0/5/130589279/2954039.pdf
    • http://54north.info/uploads/1/3/0/7/130740618/lijetekedonif.pdf
    • http://paulsykesdrivingschool.com/uploads/1/3/0/6/130604560/130604560.html#merge+jpg+into+pdf
    • http://www.cox-wedding.rominastie

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e69.bin
dd6ac59d76b8c76cd94dc3f752b1f295736d575ebf5258aefe4b13689f7a597c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E69 7652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.