Malicious PDF — malware analysis report

Static analysis result for SHA-256 98aea73af23cbac7…

MALICIOUS

PDF

43.9 KB Authoring application: ImageMagick
MD5: 0942d6adc1d280191060eede52c30671 SHA-1: a9e014863161df404ef837f4fac235b4215acd24 SHA-256: 98aea73af23cbac7c3d7335cd715e0321367ec4e3d4a1b9328090d2a989f323b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various PDF files hosted on different domains. This suggests a tactic to distribute malicious content or generate traffic through SEO manipulation. The ML classifier and ClamAV detection strongly indicate malicious intent, with ClamAV identifying it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://412catawba.com/uploads/1/3/0/6/130604326/balajono-bavamarajawu-sejawogekew-tonobe.pdf
    • http://sanclementerwf.org/uploads/1/3/0/6/130639153/nusonoxa_luvuvijoxisuraz_wixalofekefa_pemufagifal.pdf
    • http://texas2stepfilm.com/uploads/1/3/0/5/130552084/578897.pdf
    • https://tozusufebebe.weebly.com/uploads/1/3/0/2/130289244/gulez-jovesamitim-nebimesag.pdf
    • http://tridesigns.net/uploads/1/3/0/5/130546657/998cd63e5.pdf
    • http://laja.zavod-tseh.ru/uploads/2020/01/27/31b0f8a37.pdf
    • http://crystalmclainarts.com/uploads/1/3/0/3/130324227/203625.pdf
    • http://xazaveneru.specodegda-kemerovo.ru/uploads/2020/01/28/be5865d72b.pdf
    • http://zaim-mikrokredit.ru/uploads/2020/01/28/acda9a7d.pdf
    • http://bluffcreekfarmsbedandbreakfast.com/uploads/1/3/0/6/130620618/eff45.pdf
    • https://firesugufiz.weebly.com/uploads/1/3/0/2/130287503/acd95eae2.pdf
    • http://jogebu.marusyatour.ru/uploads/2020/01/27/wetarefigakuxo.pdf
    • http://smithtaekwondoinc.com/uploads/1/3/0/6/130620773/6750848.pdf
    • http://mybluejeansbookkeeping.com/uploads/1/3/0/5/130550847/2080007.pdf
    • https://fonemowodivem.weebly.com/uploads/1/3/0/3/130379146/kimuboxexavefap.pdf
    • http://koffienator.nl/uploads/1/3/0/5/130542924/4863791.pdf
    • http://lanzarotepartyboat.com/uploads/1/3/0/2/130291449/gevase.pdf
    • http://musiceatsleeprepeat.weebly.com/uploads/1/3/0/6/130621527/8127880.pdf
    • http://nekure.omgcolors.com/uploads/2020/01/28/duzaku_fowowelarowato_xijemepikav_fozobukobajame.pdf
    • http://nife.lada-detail.net/uploads/2020/01/29/6217936.pdf
    • https://pazisomesujuxiz.weebly.com/uploads/1/3/0/2/130271017/zelajowidivivefiri.pdf
    • http://alexbrightphotography.com/uploads/1/3/0/5/130588318/803ec6463f.pdf
    • http://sweetestdreams.org/uploads/1/3/0/5/130538994/130538994.html#ielts+academic+writing+task+2+environment
    • http://jogebu.marusyatour.ru/uploa

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016ea.bin
0ac145570a36d1ce5ac93cf7968017d42173b2239652f4223f0b617cc37e0a3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16EA 7932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.