Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d817b03ff1d4f6f…

MALICIOUS

PDF

31.2 KB Authoring application: pstoedit
MD5: 9e031929454b114179c1e1e5528bb3cc SHA-1: 644277afd3bd13c0fe8a8772c298d8c04593c54b SHA-256: 9d817b03ff1d4f6ff4067b163463c2a10ee5eba799af0acec04b821fc5c6e9cd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple heuristics, including a critical alert for a link farm and ClamAV detection as phishing malware. The document body contains numerous external URLs, with the primary host being 'babyboot.com.au'. This suggests the PDF's purpose is to lure users into clicking these links, likely leading to a phishing site or malware download. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://babyboot.com.au/uploads/1/3/0/6/130603725/9103430.pdf
    • http://zalexa.vzyat-kredit.online/uploads/2020/01/28/gisukusexofuru.pdf
    • https://gudamiwo.weebly.com/uploads/1/3/0/6/130603965/7d5093cf62d9.pdf
    • http://tip.fiuggi.pro/uploads/2020/01/29/42deb4c.pdf
    • http://trainingcenterchurches.net/uploads/1/3/0/6/130603836/zazus-remup-xobunomewuna-gewegamiwusu.pdf
    • http://nuvi.pp-offer.club/uploads/2020/01/28/gigajutafu.pdf
    • http://dennisandkaterina.com/uploads/1/3/0/6/130604521/gasanikamifutazap.pdf
    • http://defiesmeasurement.com/uploads/1/3/0/3/130323568/jegutiselab_nojexixawixoto_borudujifub.pdf
    • http://dansmoncerveau.com/uploads/1/3/0/2/130272511/130272511.html#some+any+no+compounds+exercises+multiple+choice

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011f1.bin
f8310324da2e7b591bfb6a2bd1200a55637504e19f1041130dae69673333174d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F1 7808 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.