Malicious PDF — malware analysis report

Static analysis result for SHA-256 bcf39d0365db7750…

MALICIOUS

PDF

44.9 KB Authoring application: Nitro PDF First seen: 2021-07-07
MD5: 6da80c7fbf352703af98507b29b066a3 SHA-1: d374961cc95c0d8da48693c4d59cfc76b24ec55c SHA-256: bcf39d0365db77502c61c1d6954d085a5f68efc3ff4bc6eb511f85bdff6f5b73
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to redirect users to malicious content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and a critical heuristic detected a 'PDF_SEO_LINK_FARM'. The document body itself is heavily obfuscated but contains some of the same URLs, reinforcing the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vivov.hoyut.icu/uploads/2020/01/28/winojux.pdf In PDF document text
    • http://petek.bangojango.me/uploads/2020/01/28/puzijepagika.pdfIn PDF document text
    • http://tasavuv.nikitpvv74club.ru/uploads/2020/01/28/0a17665629e26e.pdfIn PDF document text
    • http://rostelecomgid.info/uploads/2020/01/28/4820970.pdfIn PDF document text
    • http://balkony-msk.ru/uploads/2020/01/27/fuxunujawigiraxagilu.pdfIn PDF document text
    • http://jibat.novostroyki-barnaul.ru/uploads/2020/01/28/bajote.pdfIn PDF document text
    • http://rakeza.painttech.store/uploads/2020/01/27/fusugobapekosimodan.pdfIn PDF document text
    • http://fegosola.sverhpotok.com/uploads/2020/01/27/941c31.pdfIn PDF document text
    • http://dexisibami.jila12.ru/uploads/2020/01/27/3348445.pdfIn PDF document text
    • http://jexof.tele2store.ru/uploads/2020/01/28/7164d03a7d.pdfIn PDF document text
    • http://dukum.lakan.ru/uploads/2020/01/27/244d40409c4fbd.pdfIn PDF document text
    • http://vavaxo.woohoogay.com/uploads/2020/01/27/88c44.pdfIn PDF document text
    • http://rnb.name/uploads/2020/01/27/4811317.pdfIn PDF document text
    • https://wapuwokev.weebly.com/uploads/1/3/0/3/130379818/130379818.html#cisco+access+point+sniffer+mode+wiresharkIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000130a.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x130A 8260 bytes
SHA-256: 8a2495c515fa756d383f87104ca1f99659f0bba2d25533f3220244238bdd5b5d
font_01_sfnt_off000067b4.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x67B4 16376 bytes
SHA-256: 75ad5726b260fca9c3b66ca94450239fbc156c1891091fcfcfab965e4b2051b2

Open this report in the interactive analyzer, or submit your own file for analysis.