Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf7b6321aaf36071…

MALICIOUS

PDF

64.5 KB Authoring application: pstoedit
MD5: d6ee8914a202e61fd89a5d1fc37356cd SHA-1: 1b93b911e74e030876d8fdbab70e8111a89528b7 SHA-256: bf7b6321aaf360718d27c408dbc37035d6b51fbfffab02213b89b530124a6013
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a phishing campaign designed to distribute malicious content or manipulate search engine results. The ClamAV detection and ML classifier strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stacieaye.com/uploads/1/3/0/4/130483959/fatezemowe.pdf
    • http://digitalmonetizers.com/uploads/1/3/0/5/130588320/7aecda0ceaf.pdf
    • http://anaeugeniophotography.org/uploads/1/3/0/5/130590594/vawid.pdf
    • http://placitasdemocratsandfriends.com/uploads/1/3/0/6/130621089/51bbd10f4bba48.pdf
    • http://detailpoint.nl/uploads/1/3/0/3/130323647/xufekumurideg_pirabibovel.pdf
    • http://suumc.com/uploads/1/3/0/6/130603769/cff03b7e31ee64.pdf
    • https://zuwibaxova.weebly.com/uploads/1/3/0/5/130551487/vamanujagokeniwo.pdf
    • http://aedsa.ca/uploads/1/3/0/3/130324357/lowuxazawab_topigojo_ziwuvutile_zekuvafunige.pdf
    • http://asburycropfarm.org/uploads/1/3/0/6/130604305/c5785aa1.pdf
    • http://northwestuu.com/uploads/1/3/0/4/130435601/130435601.html#world%27s+most+famous+guitar+riff

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001335.bin
65a05a37d2fe1d1028584b26d30c300bb3ba21f78ed1e0106eeac04dbdf6c883		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1335 8848 bytes
font_01_sfnt_off0000b748.bin
af19efb7a9162253415e60a41a822d39fca3be1f9d7a7d9fc69485b6262265ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB748 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.