Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2c1dd3802366c11…

MALICIOUS

PDF

37.3 KB Authoring application: Mobipocket Creator
MD5: e9cce4672ae2d030af3a62a72c8016c7 SHA-1: d7d38a8cbec0e4b079b1d8d6da832c20e8d0b02e SHA-256: a2c1dd3802366c11a63a026d09c2e740740ee049af7354b8c0f6d2bd3b6c9181
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ML classifiers and ClamAV, specifically as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a significant number of embedded URLs, indicating a link farm strategy. The primary heuristic 'PDF_SEO_LINK_FARM' confirms this, highlighting the distribution of 16 external PDF links, predominantly hosted on 'buffalolagoon.com'. The document body contains fragmented text related to world maps and privacy policies, which appears to be a lure to mask the malicious intent of redirecting users to numerous other PDF files.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://buffalolagoon.com/uploads/1/3/0/6/130604133/beludosozebogeleju.pdf
    • http://chinasummercamp.org/uploads/1/3/0/3/130313203/7969725.pdf
    • http://www.ndishealthtoolkit.com/uploads/1/3/0/9/130969878/ruvopijezikad.pdf
    • http://trservices.com.au/uploads/1/3/0/6/130604948/vedemoluk-melaroxaxuwatu.pdf
    • http://johnsonequine.net/uploads/1/3/0/6/130640139/2744460.pdf
    • http://www.madornot.com/uploads/1/3/0/5/130588393/jimesajomasapez-tevexabilil-bulunig.pdf
    • http://tonypalladino.com/uploads/1/3/0/7/130775405/0817d1f64.pdf
    • http://www.orchardcoffeeco.com/uploads/1/3/0/9/130969798/1659225.pdf
    • http://julietokeefe.com/uploads/1/3/0/7/130776518/mujusi.pdf
    • http://constructioninsurance.net/uploads/1/3/0/7/130740550/ripadumabu_dikipizobibef_pavusekusogodij_bataliwuzajuvif.pdf
    • http://iothinqs.com/uploads/1/3/0/6/130604322/kawipefitipe.pdf
    • http://spiritedcomm.com/uploads/1/3/0/4/130477309/gikonax.pdf
    • http://femecarehygiene.com/uploads/1/3/0/3/130379183/21684a16e0e1.pdf
    • http://www.abc-c.org/uploads/1/3/0/7/130740164/taxapanegafofal.pdf
    • http://www.littlebearsleepconsulting.com/uploads/1/3/0/5/130590698/vozejema.pdf
    • http://panache-parade.com/uploads/1/3/0/3/130323466/xidop.pdf
    • http://43zvuyi.brdge.org/uploads/1/3/0/5/130543468/130543468.html#the+world+continents+and+oceans+blank+map

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034f5.bin
aa2f1896470f086fdd43992d308058f38f5b0bf2533efb85d79ad3f54837938b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34F5 8376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.