Malicious PDF — malware analysis report

Static analysis result for SHA-256 afa194ca0a58397c…

MALICIOUS

PDF

100.0 KB Authoring application: Soda PDF
MD5: f3057d86dfae284e195c829b112218f9 SHA-1: 702aae6163e635b3f8765939ffd4e9165c01848a SHA-256: afa194ca0a58397ce7efe8052a0d10a948c2e19c169ab3d816c454ddb16d31bc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. ClamAV also detected this as Pdf.Phishing.TtraffRobotInstall-7605656-0, indicating a phishing or malicious redirection campaign. The ML classifier strongly supports the malicious verdict. The document body is heavily obfuscated and does not provide clear textual lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9980

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://s6wraps.com/uploads/1/3/0/6/130604666/b8305bef9d5fd9e.pdf
    • http://m4d-game.com/uploads/1/3/0/6/130621436/tuwedukuxo-jotira-kidedozowul.pdf
    • http://kimzdanowiczmswlisw.com/uploads/1/3/0/3/130313149/zunovitovowazovakej.pdf
    • http://patient-wisdom.net/uploads/1/3/0/6/130621455/bb59800.pdf
    • http://www.sydneyssuite.com/uploads/1/3/0/6/130639941/9f91ed95d495a.pdf
    • http://teamthomason.net/uploads/1/3/0/5/130589218/wimuwisijez.pdf
    • http://hearthealer.nl/uploads/1/3/0/2/130287930/96701db0826.pdf
    • http://asantek.com/uploads/1/3/0/7/130776388/fegoxazubaxife.pdf
    • http://starvoicespots.com/uploads/1/3/0/5/130589362/655e114.pdf
    • http://janewagman.com/uploads/1/3/0/5/130541133/xipisexolebo.pdf
    • http://www.ossirising.com/uploads/1/3/0/9/130969505/4308981.pdf
    • http://madeleinevionnet.net/uploads/1/3/0/8/130813903/6157237.pdf
    • http://loica-legrand.com/uploads/1/3/0/3/130379474/021e73.pdf
    • http://alfacucine.com/uploads/1/3/0/2/130289638/360395cc.pdf
    • http://summercollege4kids.org/uploads/1/3/0/3/130379506/dolapifakomufebizaj.pdf
    • http://mta-sts.plainfieldgirlscouts.org/uploads/1/3/0/2/130287243/56f4270c4a.pdf
    • http://www.meganmaryderosa.com/uploads/1/3/0/9/130969993/kaxixavatavo-lelifel-belunujekaj.pdf
    • http://imap.ourchildrenshomestead.org/uploads/1/3/0/8/130874289/8916159.pdf
    • http://adsl-63-204-18-59.benefitplans.org/uploads/1/3/0/7/130775387/130775387.html#teekshna+damstra+kalabhairava+ashtakam+benefits

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000fb67.bin
1f97acaba904db6e2dbeec25d24822f35f7419c11c979948424018bfcb82b5af		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB67 16616 bytes
font_01_sfnt_off000126b7.bin
91cf9cd4efac8f69dcdf587659185da8236567bce3e9e4f6a5ecd944f50fae4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x126B7 1428 bytes
font_02_sfnt_off00013084.bin
445d6244fe795d2251637e9ea62509b29698acf256930ab0258da05bb6c7dd39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13084 7020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.