Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa6193faf1fcedd4…

MALICIOUS

PDF

44.8 KB Authoring application: pdf-parser
MD5: 198ec815eabac005ec85ee33fdcb3ffc SHA-1: 12a29eaa79bbdd0ea79c16272ffbb4dc5d76e4d9 SHA-256: aa6193faf1fcedd4790d0c7d3d46dd5a77b75ddcdf372537847be75c7fceff00
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO manipulation attack. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing intent. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery mechanisms.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.nomadtransportation.net/uploads/1/3/0/5/130544584/perazor-sokivoxelegav.pdf
    • http://1-800events.com/uploads/1/3/0/7/130738623/5296997.pdf
    • http://www.i-tesori.com/uploads/1/3/0/7/130739423/perejutukurigomudubo.pdf
    • http://studioluspi.com.au/uploads/1/3/0/6/130604723/0788e3ed3effb7d.pdf
    • http://hotorgrot.net/uploads/1/3/0/2/130273738/sojon-vijulepan-kikezefeti-nudepuxif.pdf
    • http://edcollaborations.org/uploads/1/3/0/5/130539886/ebb9f79995677.pdf
    • http://granniesgrandfiesta.com/uploads/1/3/0/7/130739080/tepubaj_letowagasax.pdf
    • http://superyachthistory.com/uploads/1/3/0/7/130776075/sakofizuga-fereb.pdf
    • http://eventcateringwantage.co.uk/uploads/1/3/0/6/130604729/8f0af.pdf
    • http://awolimited.com/uploads/1/3/0/4/130476684/7340850.pdf
    • http://gonzalesprimarycare.com/uploads/1/3/0/4/130483325/gabisamomifezisomer.pdf
    • http://celenacox.com/uploads/1/3/0/5/130543154/2988034.pdf
    • http://1-800events.com/uploads/1/3/0/7/130775111/bukuguluk-vutabon-niwodin-wolate.pdf
    • http://www.jaeladi.com/uploads/1/3/0/4/130435694/rexizuvunavexobijon.pdf
    • http://myaustralianview.com/uploads/1/3/0/5/130543740/suxodevejupe.pdf
    • http://vitamchale.com/uploads/1/3/0/2/130288379/e005726.pdf
    • http://www.houstonsynchrostars.com/uploads/1/3/0/2/130289521/5041899.pdf
    • http://autumndiaries.com/uploads/1/3/0/2/130287799/4cdaf529.pdf
    • http://stampexinternational.com/uploads/1/3/0/5/130538816/7218455b1fa0a.pdf
    • http://vcareheatingandplumbing.com/uploads/1/3/0/5/130542872/192b663.pdf
    • http://hopgal.com/uploads/1/3/0/7/130739315/8c6ba4.pdf
    • http://pof-addcallsettings.com/uploads/1/3/0/4/130489564/6d883.pdf
    • http://maxsiefert.com/uploads/1/3/0/8/130873912/kimoman.pdf
    • http://moversinmiami.net/uploads/1/3/0/4/130476262/vavekonul.pdf
    • http://763rl.slpny.com/uploads/1/3/0/5/130543483/130543483.html#free+plywood+dinghy+boat+plans
    • http://celenacox.com/uplo

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d3d.bin
4243d942c256102a71fa96736d502aaa40a1b0d1fed4774309f9a0bd2ba06723		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D3D 7632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.