Malicious PDF — malware analysis report

Static analysis result for SHA-256 ade2056fc7597307…

MALICIOUS

PDF

51.2 KB Authoring application: QPDF
MD5: e1775d0257d56ef02caef0ff4bb2560b SHA-1: a112c9e0f1823b1ba30d5c3e8550ef8424df65eb SHA-256: ade2056fc7597307de05eb5b1c19d7385a31fb6b9a6f0d46e43c9c9e3e437d90
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule, indicating a large number of external links. ClamAV also detected it as Pdf.Phishing.TtraffRobotInstall. The presence of numerous URLs, all pointing to similarly structured PDF files on different domains, strongly suggests a phishing or malware distribution campaign. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pburg94rescue.org/uploads/1/3/0/3/130379428/pinitalibulopuwineze.pdf
    • http://www.seikerinternational.com/uploads/1/3/0/7/130775025/rowegederivoj.pdf
    • http://www.infrarxservices.com/uploads/1/3/0/6/130604181/tewuzataz.pdf
    • http://oakland-abyssinia-productions.com/uploads/1/3/0/6/130620878/rubofodadiselip-zexazevut.pdf
    • http://mobilebrakesar.com/uploads/1/3/0/6/130639217/medarogegenujunesew.pdf
    • http://mta-sts.mx.jtetlp.org/uploads/1/3/0/3/130379115/89373531de17e43.pdf
    • http://insanetennis.com/uploads/1/3/0/5/130550732/9713674.pdf
    • http://obccbd.com/uploads/1/3/0/7/130738823/8783866.pdf
    • http://ctbflowers.com/uploads/1/3/0/5/130541346/40ff51bdfef3c.pdf
    • http://mogulmeadows.org/uploads/1/3/0/8/130873975/selutuwedu.pdf
    • http://ccf-ag.org/uploads/1/3/0/7/130739740/7793031.pdf
    • http://bsdproperty.com/uploads/1/3/0/5/130545643/kikuva_sasolirid_wanaf.pdf
    • http://popsoupmag.com/uploads/1/3/0/5/130590481/xopugewixunazusa.pdf
    • http://kissdis.com/uploads/1/3/0/6/130603866/2548335.pdf
    • http://northhobby.us/uploads/1/3/0/5/130590279/95dbba4b69643c.pdf
    • http://www.exteriorcontractor.co/uploads/1/3/0/7/130738639/kokozopil-sasiw-tovitirotorigux.pdf
    • http://cycotron.com/uploads/1/3/0/4/130475921/95464.pdf
    • http://taylorperryinteriordesign.com/uploads/1/3/0/7/130775984/mudaziwisofaw.pdf
    • http://fitfoodsexpress.com/uploads/1/3/0/2/130271126/3589289.pdf
    • http://25951894.mx1.globaluplift.com/uploads/1/3/0/3/130313117/dijomajopadorogam.pdf
    • http://shikuangzuqiu2013buding.br3h.com/uploads/1/3/0/4/130435594/130435594.html#inventor+cam+vs+fusion+360

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000561c.bin
97d97f82607bbba6400b2aeb668c1ce36905eb053c7d9f71518f72b12036e27f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x561C 9180 bytes
font_01_sfnt_off00007414.bin
afd8868629b61d85ec32a8a0de1ca84da82d48156cdd7447d7c4f51403cf5149		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7414 5244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.