Malicious PDF — malware analysis report

Static analysis result for SHA-256 c4d382405a5f2978…

MALICIOUS

PDF

40.1 KB Authoring application: Poppler-utils
MD5: d04daf57a48d30159f19f9ca4add7b62 SHA-1: 200af1d1df14b5dfbd2ee51edbf6fe86344cd797 SHA-256: c4d382405a5f29786a62588938dcbf76ba6221f2bcbab01ca9a4788453d81a76
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links pointing to external PDF files, a technique commonly used for SEO poisoning or to distribute malicious content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or traffic redirection scheme. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mishakaura.com/uploads/1/3/0/7/130775796/fatukamatu-sulenukuxav.pdf
    • http://securuscorretaje.com/uploads/1/3/0/5/130588780/rosemazifedegogidade.pdf
    • http://webmail.hidrogym.com/uploads/1/3/0/6/130620650/60afd7807d5d756.pdf
    • http://printable-ebooks.com/uploads/1/3/0/6/130639506/mabovesolufuzasuvad.pdf
    • http://aplusparkinglotstriping.com/uploads/1/3/0/8/130874585/gamesurolir.pdf
    • http://kresadmissions.com/uploads/1/3/0/6/130640198/miwilif.pdf
    • http://incrediblemeatdeals.com/uploads/1/3/0/2/130289793/setajumu.pdf
    • http://andreasheedybrown.com/uploads/1/3/0/6/130603977/jonewa-gimizi-zuvenakulojezu-jolamox.pdf
    • http://blazinginformatics.com/uploads/1/3/0/5/130588940/lugavidosidogebimupu.pdf
    • http://www.blackboxcandle.com/uploads/1/3/0/5/130550809/1356047.pdf
    • http://fbcsavmo.net/uploads/1/3/0/5/130551219/zifutanuk.pdf
    • http://asuperiorchoicecleaners.com/uploads/1/3/0/2/130289347/a3a734.pdf
    • http://bobcatinfo.org/uploads/1/3/0/5/130538931/375ec0a8ea1c.pdf
    • http://www.solerconsulting.com/uploads/1/3/0/2/130289355/gijimu.pdf
    • http://bergerondodgechryslerjeep.com/uploads/1/3/0/4/130489527/davugenogomefupikek.pdf
    • http://mgbbsewing.com/uploads/1/3/0/5/130550824/341b84195f27.pdf
    • http://www.legacyloki.com/uploads/1/3/0/3/130313422/119aaaeee.pdf
    • http://onestoneworks.com/uploads/1/3/0/2/130287997/besemage.pdf
    • http://www.mapuae.com/uploads/1/3/0/8/130873973/guzononepajorom.pdf
    • http://www.kmcintirevarietypack.com/uploads/1/3/0/3/130313641/130313641.html#dural+venous+sinuses+anatomy+zone
    • http://aplusparkinglotstriping.co

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003f3c.bin
a647f1bf1ea2f9be015449aed0c6599a734e32879b007037a96d903475e69cd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3F3C 7592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.