Malicious PDF — malware analysis report

Static analysis result for SHA-256 acecb05a195d87fd…

MALICIOUS

PDF

43.6 KB Authoring application: PDF Studio
MD5: ed6b7f7e0e423e0f0f17819ec1808397 SHA-1: a1886bdb2e4a553cc67b0558c6d730019e27c058 SHA-256: acecb05a195d87fda58a0042ca7c05239e3175b360371305f0d5bf79451a69eb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including a critical alert for a link farm and ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body contains numerous URLs, indicating a likely phishing or malware distribution attempt. The primary attack pattern involves redirecting users to external PDF files hosted on various domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vegetarianspacecadet.com/uploads/1/3/0/5/130540472/3468813.pdf
    • http://spiritascend.com/uploads/1/3/0/6/130621277/3358094.pdf
    • http://abettertravelagency.com/uploads/1/3/0/4/130488851/3cb9e84f.pdf
    • http://rpn-permkrai.ru/uploads/2020/01/28/popekenuvez.pdf
    • http://kyle4style.com/uploads/1/3/0/6/130639214/mekiverefuzunakuli.pdf
    • http://kag.g-c-s.investments/uploads/2020/01/28/7023216.pdf
    • http://jepejobag.hair-extension.info/uploads/2020/01/27/raxogozovekokozidada.pdf
    • http://zuxakubof.espace-clientsv3-0range.com/uploads/2020/01/27/5ac2de7f41.pdf
    • http://act-graphics.com/uploads/1/3/0/4/130476709/8118801.pdf
    • http://fepe.audiostart32.icu/uploads/2020/01/28/mevogugubesolaza.pdf
    • http://fiw.posemosen123.com/uploads/2020/01/27/5581188.pdf
    • http://vofar.suot.pro/uploads/2020/01/28/lalisodedomo-zadevobo.pdf
    • http://xowamolen.kropanev.online/uploads/2020/01/29/waxisutavuragogap.pdf
    • https://genusemis.weebly.com/uploads/1/3/0/5/130551279/22c50661523ca.pdf
    • https://kalurivodetim.weebly.com/uploads/1/3/0/2/130271131/xenovobuzuf-jomunovexajej-vujan-wimomil.pdf
    • http://adogenixptyltd.net/uploads/1/3/0/2/130273617/wezoguneluketekugoji.pdf
    • http://sassyheartsboutique.com/uploads/1/3/0/4/130435561/zajokipeg_wamabetumeno_mofekimu_lorigisi.pdf
    • http://stohrs.weebly.com/uploads/1/3/0/2/130272260/2946216.pdf
    • http://keepupwiththekeys.com/uploads/1/3/0/5/130589240/cd21b79672.pdf
    • http://remcofitness.com/uploads/1/3/0/6/130639503/f35e40b73f.pdf
    • https://losadulisov.weebly.com/uploads/1/3/0/4/130476747/36128140.pdf
    • http://aeronika.com/uploads/2020/01/27/detiwidaxosujodu.pdf
    • http://kdstudios.net/uploads/1/3/0/3/130379062/mowexin-rugarexivene-lumaj.pdf
    • http://willowdisplays.com/uploads/1/3/0/6/130620990/zuxapekevunexerut.pdf
    • http://strawberrycookienv.com/uploads/1/3/0/2/130289625/130289625.html#macbeth+act+3+scene+4+exam+question

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001730.bin
bc6a3d6d328157767bfacc8216794f1e062a2ffd8ae6a1d40c7941a609fb21a1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1730 7728 bytes
font_01_sfnt_off00006333.bin
ddc6c38a5929b263b215a5b0c7aa8b1a409f146866f06980111f9f21a6232bf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6333 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.