Malicious PDF — malware analysis report

Static analysis result for SHA-256 c10a06e6f6a6f24c…

MALICIOUS

PDF

56.4 KB Authoring application: PDF Studio
MD5: f9396a208c6a54b4ebc7f2f67679a202 SHA-1: 72a3ec4919562623b3f391cbf4ccb6cc061021cd SHA-256: c10a06e6f6a6f24cd82b1dc9a42e4806585ceb50e009f4008cfa488e6a351c53
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically related to phishing. The document body, though heavily obfuscated, contains references to 'Actual test toeic pdf' and several URLs, reinforcing the lure. The primary attack pattern involves directing users to a network of linked PDFs, likely to host further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://atcalloys.com/uploads/1/3/0/5/130543840/ac4cf839.pdf
    • http://norcal-cre.com/uploads/1/3/0/2/130289429/59aa131a0.pdf
    • http://momar.itexno.su/uploads/2020/01/28/8772194.pdf
    • http://popmetals.com/uploads/1/3/0/6/130620928/867640e29ab0.pdf
    • http://dorsetheartdoctor.com/uploads/1/3/0/3/130323936/fumasabelediwutezaw.pdf
    • http://fewox.audiostart16.icu/uploads/2020/01/28/maxizazeniv.pdf
    • http://mensajeriaparada0.com/uploads/1/3/0/6/130603838/paduzub-tuzotumezivelo-rudowamev-rosirabasojezow.pdf
    • http://zambiasafarihunting.com/uploads/1/3/0/4/130483961/130483961.html#actual+test+toeic+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001389.bin
e6f1b124172bd49a460413a7e91836f9f0e6d3edae643d546b0e230bf2aff7a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1389 11328 bytes
font_01_sfnt_off00008ed9.bin
f2d47081fd742979258ec47128be6471711659cfbe2fa2253a985b0e472b0105		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8ED9 22984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.