Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fb15a35a18f765c…

MALICIOUS

PDF

49.5 KB Authoring application: pdf-parser
MD5: ded4f7134f8841c463812681253dada6 SHA-1: 74c38ff810b1172193c1a173c2d4564d40b95429 SHA-256: 9fb15a35a18f765c6834831bb793c575b0b02b6f5757936bde12852830465630
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical alert for a link farm and ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The embedded URLs suggest a phishing or SEO manipulation scheme, aiming to redirect users to potentially malicious content hosted on various domains. The document body content is heavily obfuscated and does not provide further clues on the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://biopacificmexico.com/uploads/1/3/0/6/130604150/71b2b0bedf8.pdf
    • http://olgashomecooking.com/uploads/1/3/0/7/130775658/01593.pdf
    • http://nikaspaus.com/uploads/1/3/0/4/130491079/jutiziduxasarovil.pdf
    • http://cigmamotorsports.com/uploads/1/3/0/4/130435597/pisuwobab-vorijato.pdf
    • http://www.realtalkwithricki.com/uploads/1/3/0/2/130288465/ragebiveje-bevazamuvununil-febupilesejuf.pdf
    • http://base-connect.com/uploads/1/3/0/5/130550805/zubirezedukufuro.pdf
    • http://alpinetransit.com/uploads/1/3/0/2/130291702/sugupema.pdf
    • http://columbushardscapes.com/uploads/1/3/0/2/130270790/4170860.pdf
    • http://mymindfulspirit.com/uploads/1/3/0/5/130539886/fokowozofir.pdf
    • http://wordzap8.com/uploads/1/3/0/5/130540604/e3213e8572808.pdf
    • http://mail.uspaeast.com/uploads/1/3/0/5/130540155/mofiwowolomavuxopok.pdf
    • http://netspeedsolutions.com/uploads/1/3/0/2/130289161/7431497.pdf
    • http://www.thecharme.net/uploads/1/3/0/6/130604233/32bc9.pdf
    • http://hapticfashion.com/uploads/1/3/0/5/130545597/jobisot.pdf
    • http://ohigholifedesigns.shop/uploads/1/3/0/4/130483680/8dce1e7a02.pdf
    • http://a1159608xstreamtravel.xsideas.com/uploads/1/3/0/8/130814055/130814055.html#clear+cell+adnexal+carcinoma+canine

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000058fe.bin
57d56b268b7894c59eb9b531a8613f74d0fcbc28028d6a6d979fb96d4898d3c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58FE 2976 bytes
font_01_sfnt_off00006634.bin
2fc8b940bedaa6ede9470ddf0fd58eb793465886feece6e6c746f5c8bed44944		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6634 8464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.