Malicious PDF — malware analysis report

Static analysis result for SHA-256 b42eeee36f570dc2…

MALICIOUS

PDF

43.1 KB Authoring application: PDFedit
MD5: bfb8dd751984387cb3ae13ee39a3a8b2 SHA-1: 022f35a138624bf747d9796b35a9a4a9321062dc SHA-256: b42eeee36f570dc2a735207cd8873d3424ec03c318a5df33441e0343b9abaa5f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files hosted on various domains, indicating a link farm or SEO spam campaign. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly suggest malicious intent. No scripts were extracted, and the document body is heavily obfuscated, making it difficult to determine the exact lure or payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nickhawrylko.com/uploads/1/3/0/2/130272582/db168e87.pdf
    • http://e-darcytrie.com/uploads/1/3/0/6/130604986/13a3a3b.pdf
    • http://palace-hill.co.uk/uploads/1/3/0/2/130272070/8628733.pdf
    • http://holypost.us/uploads/1/3/0/6/130621114/6da5fed5916.pdf
    • http://www.valmclean.co.uk/uploads/1/3/0/6/130604950/6778701.pdf
    • http://pogopossum.net/uploads/1/3/0/5/130590339/a0f3483e9cc.pdf
    • http://advancedrxtesting.club/uploads/1/3/0/6/130604140/6815995.pdf
    • http://qualitymanagmentsytem101.com/uploads/1/3/0/9/130969510/nijaxorejimopon.pdf
    • http://pinemountainpublishing.com/uploads/1/3/0/6/130639853/6879272.pdf
    • http://www.ape-pr.com/uploads/1/3/0/7/130738507/15f91c.pdf
    • http://www.3clogisticsllc.com/uploads/1/3/0/7/130776741/9829807.pdf
    • http://mtmusicservices.com/uploads/1/3/0/5/130551059/renebuzubes.pdf
    • http://comfortquality.net/uploads/1/3/0/4/130488780/tunoj-rilidotej.pdf
    • http://jamesseayministries.org/uploads/1/3/0/6/130621205/130621205.html#how+do+you+find+the+variance+of+a+geometric+distribution

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d19.bin
96013b5be735080d98c40369af3aafc702fe667e33a5ad28e76dd2b72c164c35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D19 16148 bytes
font_01_sfnt_off000041c7.bin
9a1ee7b1b1f8e516e4ac2fab314db06c7833e078a12e0d18ec7fd4c9506e0b2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41C7 2844 bytes
font_02_sfnt_off00004ea8.bin
10f80e1563a2aca43356f0e8a16037547b2a97f7d2ea7de11e9c720e9824a10b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4EA8 8300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.