Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bd007fdfaa7a674…

MALICIOUS

PDF

51.4 KB Authoring application: PDFBox
MD5: 33715abd336b38013e11a0f58cdc867b SHA-1: a4aeab5d009dfe67f2afe5f0aac7593863f522f8 SHA-256: 9bd007fdfaa7a6747fc35fd103cca40cc27b9f3503b85a56185bce8605dcf32a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent. The primary goal appears to be redirecting users to a multitude of potentially malicious or phishing websites, as evidenced by the numerous URLs extracted.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mistymeadowsfarm.net/uploads/1/3/0/2/130272575/xovasaramad-xarip-lowiram-wafabijizuvenev.pdf
    • http://thevisualnarrative.com/uploads/1/3/0/6/130639148/varupusirak-nefobuk-savenobu-lapol.pdf
    • http://abbaproperty.com/uploads/1/3/0/3/130379333/xatotumobapuzab-koniki.pdf
    • http://dbsarah.com/uploads/1/3/0/6/130620521/288014.pdf
    • https://jexujijevuliru.weebly.com/uploads/1/3/0/5/130550887/noneguri_betutam_pipuju_bitaboten.pdf
    • http://mrmuhammadmusic.com/uploads/1/3/0/6/130621882/1969057.pdf
    • http://radiantsoulrecords.com/uploads/1/3/0/5/130551214/174001.pdf
    • http://usanewbiology.com/uploads/1/3/0/6/130604386/4506206.pdf
    • http://dentalstudentportal.com/uploads/1/3/0/7/130739619/8777325.pdf
    • http://mykindoffamily.com/uploads/1/3/0/4/130494801/gaxozanafewupu.pdf
    • http://petersonskattumrealtygroup.com/uploads/1/3/0/5/130590157/7456897.pdf
    • http://mrsthurberhistorycom.com/uploads/1/3/0/5/130538831/2937857.pdf
    • http://meshayla.com/uploads/1/3/0/6/130640018/130640018.html#perforated+baking+sheet+pans

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00007ac2.bin
c13926f8d004533f270c427f6366791368d664d182ecafc6be2ea1f181588760		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x7AC2 18868 bytes
font_00_sfnt_off00001389.bin
2c35a77d23e3c32c0c1ba4d9bd236c6f06162f59e88fbdcebdf66d1ba47dc100		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1389 8556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.