PDF malware analysis — malicious · 9a7854d16322aeba

MALICIOUS

PDF

55.1 KB Authoring application: Nitro PDF

MD5: 9f1cedbb7ae4a71dc407ab85202b51a0 SHA-1: 00278023c7c9c01fc572e18055766d69a2951255 SHA-256: 9a7854d16322aeba562dd1937828863d9936f59114a4a1cea62760eaafe81f89

150 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a machine learning classifier indicated a high probability of maliciousness. The primary heuristic identified a large farm of external PDF links, with the first URL being http://gnfi.com/uploads/1/3/0/4/130476485/6298690.pdf. This suggests a phishing or SEO manipulation attack, aiming to redirect users to numerous other PDF documents.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://gnfi.com/uploads/1/3/0/4/130476485/6298690.pdf
- http://kipevasiv.ideifoto.ru/uploads/2020/01/27/mosuziguwopu.pdf
- http://proudrent.com/uploads/1/3/0/5/130588651/kinib-xajopuwunab.pdf
- http://moabgearheads.com/uploads/1/3/0/3/130323437/500681.pdf
- http://texanhomestudy.com/uploads/1/3/0/4/130436014/widipifuvurujed-zitogilafota-kaguvufivir-maxipareziligu.pdf
- http://nigelkentphotography.weebly.com/uploads/1/3/0/5/130539113/fonipuwafe-nupoxudewige-fumavuridonuve.pdf
- http://midwestcraftshows.com/uploads/1/3/0/5/130551019/9126211d869dbf5.pdf
- http://aaagospelminister.com/uploads/1/3/0/2/130270931/zubuwudujemotemepu.pdf
- http://andinclusion.com/uploads/1/3/0/5/130589354/367b32d9ffe3ffe.pdf
- http://riddlefamilyranchgrassfedbeef.com/uploads/1/3/0/5/130590257/1379262.pdf
- http://cslsolution.net/uploads/1/3/0/6/130604010/5423311.pdf
- http://stellarconcessions.com/uploads/1/3/0/5/130545633/6705eff8c1a.pdf
- http://portagejiu-jitsu.net/uploads/1/3/0/4/130491322/4890302.pdf
- http://contractlawtraining.com/uploads/1/3/0/6/130604617/1a11af7f211cad.pdf
- http://audio-start50.icu/uploads/2020/01/29/82c6982755a364.pdf
- http://movingmindsdance.com/uploads/1/3/0/6/130639021/biwokiwizejex.pdf
- http://mysocialcrowd.co.uk/uploads/1/3/0/2/130289494/6431410.pdf
- http://danhixsonphotography.com/uploads/1/3/0/5/130550874/10771c094e9cbf2.pdf
- http://lumenlyco.com/uploads/1/3/0/5/130544226/edde0009e6f485.pdf
- http://riversforhealth.org/uploads/1/3/0/6/130639699/gezapowipex.pdf
- http://newlifeeastla.com/uploads/1/3/0/3/130323185/xadinamoj_tepojomoxowam.pdf
- http://nebc-indy.com/uploads/1/3/0/6/130620410/2972127.pdf
- http://arsenicofjabir.com/uploads/1/3/0/6/130639939/130639939.html#guru+granth+darpan+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000016ae.bin` `9b6ab3c80bb97599290aca8a0fd81d26b4ebcc452d4ca17712f17a844234180b`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x16AE	7844 bytes
`font_01_sfnt_off00007f57.bin` `8aa75cb42867064b11d539483b075a1f1e0fdb0828faa4ffd1b67b85253fc0be`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x7F57	9332 bytes
`font_02_sfnt_off0000982b.bin` `a27b3e6606f841405faf785eb0564ebb2893a1a473ca28aa6d4d316ff9bb707d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x982B	3304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.