Malicious PDF — malware analysis report

Static analysis result for SHA-256 b0aa4653d68df2dc…

MALICIOUS

PDF

83.1 KB Authoring application: Solid Converter PDF
MD5: b8d707790c0106e01ee378cb8d5b8dcf SHA-1: 6053c50837a3435018a1c0a290437afe36700033 SHA-256: b0aa4653d68df2dc453427e2e22c8fc3c5f14e504c223ae56d6f6f79b3ce4247
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. This suggests a link farm or redirection mechanism designed to lead users to malicious content. The ClamAV detection and ML classifier further confirm its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall. No scripts were extracted from this sample, but the extensive link farm indicates a probable phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9923

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://missuniversevietnam2019.com/uploads/1/3/0/6/130620929/7560740.pdf
    • http://remtriclub.com/uploads/1/3/0/7/130738854/nolune.pdf
    • http://micapreneurship.com/uploads/1/3/0/7/130740148/tidob_ropexuv.pdf
    • http://www.maddithecreative.com/uploads/1/3/0/6/130604654/bigove_xudokowokesibi_kagutunixatoma.pdf
    • http://charliechub.org/uploads/1/3/0/4/130488569/7001488.pdf
    • http://solarscrappers.com/uploads/1/3/0/3/130379126/ruwexojen-zugafikewose.pdf
    • http://www.sociagencyinc.com/uploads/1/3/0/6/130640179/dejifufig_bafisogewen.pdf
    • http://goodnewsdoctor.com/uploads/1/3/0/5/130589397/zoxanaveb.pdf
    • http://flowasyouwish.com/uploads/1/3/0/5/130551086/milojuxokevifexar.pdf
    • http://alteredsky.net/uploads/1/3/0/5/130590265/jivivuvinit.pdf
    • http://neben-an.ch/uploads/1/3/0/6/130603834/tozawi.pdf
    • http://ktabcleaningandlandscaping.com/uploads/1/3/0/2/130270917/zutebodureximasewuti.pdf
    • http://zdocj.bpmtc.com/uploads/1/3/0/6/130621437/7587979.pdf
    • http://www.beyondbirthsupport.net/uploads/1/3/0/2/130287896/sipilefajovusam.pdf
    • http://linkmydesign.com/uploads/1/3/0/5/130588216/e870b68.pdf
    • http://stephandanton.com/uploads/1/3/0/4/130483811/6544494.pdf
    • http://ladyboner.net/uploads/1/3/0/7/130776734/tamujip.pdf
    • http://funeventswithfriends.com/uploads/1/3/0/5/130545998/535238.pdf
    • http://boyadezhoupukeshuafen.f18.ebkf.org/uploads/1/3/0/5/130542822/pekoton.pdf
    • http://bewellca.com/uploads/1/3/0/5/130539355/vutanikeku_fuzenuma.pdf
    • http://racefkc.com/uploads/1/3/0/7/130775503/zevumos.pdf
    • http://theforexsquare.com/uploads/1/3/0/7/130776331/mavisorebijonaxose.pdf
    • http://www.alliwantconference.net/uploads/1/3/0/8/130814066/be391f41d1.pdf
    • http://trinity180.org/uploads/1/3/0/8/130873804/bizukubizisurorapom.pdf
    • http://imawinner.co.uk/uploads/1/3/0/7/130776502/bamugisuruvaz.pdf
    • http://d4lnpo.bdgct.com/uploads/1/3/0/6/130604379/130604379.html#archaebacteria+%E0%A4%94%E0%A4%B0+eubacteria+in+hindi

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000081b9.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81B9 2652 bytes
font_01_sfnt_off00008a8d.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A8D 1388 bytes
font_02_sfnt_off000095d5.bin
979c4ed019bf8cf3c8c7aa6330f19648a1925f75eef1025e92698cb5dc0e1e6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95D5 20716 bytes
font_03_sfnt_off0000cb46.bin
bd8372e165a6d2dcd5d334cf5741030dc20835f850a7f2b19b6593413ba9fe22		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB46 16128 bytes
font_04_sfnt_off0000e30e.bin
65531a0e0883a1fa1d6d8c50049c72d5e0c6bc848abe033b899444575541464b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE30E 7888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.