Malicious PDF — malware analysis report

Static analysis result for SHA-256 afafd7a67cc3e200…

MALICIOUS

PDF

39.6 KB Authoring application: Serif PagePlus
MD5: ec870c39d43308abf301ddf1bdf695f7 SHA-1: e6639a3648befdf7c5dc2356860c893b8dbcd0d1 SHA-256: afafd7a67cc3e200c93e38e2ed69105d8a006a3fea46df65be1ba0c4eeca5338
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO spam or to redirect users to malicious sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent. The document body text is heavily obfuscated and does not provide clear user-facing content, but the overall structure and heuristic firings point to a link-farming or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tuzoniwaku.weebly.com/uploads/1/3/0/2/130271137/5dc846b2e3102b.pdf
    • https://bagosinoz.weebly.com/uploads/1/3/0/5/130550756/6773633.pdf
    • http://houseofmapa.com/uploads/1/3/0/5/130546885/2e3f2d2f.pdf
    • http://mafitzdesign.com/uploads/1/3/0/4/130435697/romivazubemaze-bifirig.pdf
    • http://van.easternbusinessdistrict.online/uploads/2020/01/28/ef01998fb61.pdf
    • http://xemepumiw.fotografs.ru/uploads/2020/01/28/xagaf.pdf
    • http://ketam.onlineevents.tech/uploads/2020/01/28/2d10d9956bd.pdf
    • http://designdancestudio.com/uploads/1/3/0/5/130590689/sijokinidawo.pdf
    • http://tapthesky.org/uploads/1/3/0/2/130291552/1539909.pdf
    • https://zagotugow.weebly.com/uploads/1/3/0/5/130550731/efc338c28.pdf
    • http://sijim.24024.ru/uploads/2020/01/27/lekigotono_potugovero.pdf
    • http://zoru.cgt-capgemini-ts.net/uploads/2020/01/28/vivikunafimagededuke.pdf
    • http://zorozuz.punish-me-for.fun/uploads/2020/01/28/4a76c7.pdf
    • http://nujow.penostroy.com/uploads/2020/01/28/d459d17f.pdf
    • http://mobetar.storeshop.xyz/uploads/2020/01/28/finukujewavilakof.pdf
    • http://vigamaxem.kuprygin.com/uploads/2020/01/27/gazefefumef_sasididi_wesal_gusulagamolofaz.pdf
    • http://tufobu.migraskope.com/uploads/2020/01/27/ruvelimakoluwa-zeferotogevugik-wavisizutasaz.pdf
    • http://gavimoku.kvadart.ru/uploads/2020/01/28/xedugitus.pdf
    • https://titexaforezidel.weebly.com/uploads/1/3/0/5/130589286/kejixoduf.pdf
    • http://fajesom.shapewear-official.pro/uploads/2020/01/28/2157435.pdf
    • http://sauerlandhypotheek.nl/uploads/1/3/0/6/130620176/130620176.html#hospital+management+system+html+template+free

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000161a.bin
41dbeb456b692c5e075e0d338b22d30e381ee4e57c25683351ae8c7150fa004d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x161A 8280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.