Malicious PDF — malware analysis report

Static analysis result for SHA-256 c75026424deb174c…

MALICIOUS

PDF

32.7 KB Authoring application: Smallpdf Desktop
MD5: 37d49e6c67bf0dc216a54bd10863bf30 SHA-1: 631a1eda04b1f4661174b3e71a5b13e9a4562b05 SHA-256: c75026424deb174c1183d3d715001c134540b6dcd9a9e80b33c614cb6a0f2f5d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Phishing: Spearphishing Attachment T1204.001 User Execution: Malicious Link

The sample is a PDF containing a large number of external links to other PDFs hosted on various compromised sites, which is characteristic of an SEO link farm. The document body uses a lure related to 'Inquisitor 40k movie' to attract users, and ClamAV has flagged the file as Pdf.Phishing.TtraffRobotInstall.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://resimmagnet.net/uploads/1/3/0/6/130604018/dubigoroxezegat_jusalipakibefe_veweloworejudil.pdf
    • http://nerdendo.com/uploads/1/3/0/6/130639613/saxinezipu.pdf
    • http://treymoore.net/uploads/1/3/0/6/130620998/818e812ed8803.pdf
    • http://dgaccountingtax.com/uploads/1/3/0/6/130639765/3138773.pdf
    • http://giantacorn.com/uploads/1/3/0/4/130491001/tilub.pdf
    • http://northstarcare.org/uploads/1/3/0/6/130620574/a50676944a.pdf
    • http://previewclass.com/uploads/1/3/0/8/130814161/betodozepug.pdf
    • http://aspenfamilymedicine.com/uploads/1/3/0/4/130435985/2551661.pdf
    • http://cafedonruiz.com/uploads/1/3/0/4/130435851/7427363.pdf
    • http://mooretre.com/uploads/1/3/0/6/130604667/balofezufolerelenize.pdf
    • http://ssjohn832.com/uploads/1/3/0/2/130289784/7ed0ca36d4d3d2.pdf
    • http://band-ems.org/uploads/1/3/0/3/130313585/nagelobamixox.pdf
    • http://playtherapyseattle.com/uploads/1/3/0/6/130639379/ninefux-dumip.pdf
    • http://mhsclassof1976.com/uploads/1/3/0/6/130620455/4ff3faf7.pdf
    • http://multitechroma.com/uploads/1/3/0/3/130323599/tulifali-lovise-donagavogaguxe.pdf
    • http://lexington-mls.com/uploads/1/3/0/8/130813403/povibikupolafegos.pdf
    • http://epiccodingmusic.com/uploads/1/3/0/2/130291415/9190431.pdf
    • http://centerofpeacefulendeavors.com/uploads/1/3/0/7/130739225/9254849.pdf
    • http://ladyablesartistry.com/uploads/1/3/0/5/130550882/ee5e7.pdf
    • http://womenofmindfulbusiness.com/uploads/1/3/0/7/130740209/06225.pdf
    • http://boonesushi.com/uploads/1/3/0/4/130476589/7495678.pdf
    • http://nuevavistamenorca.com/uploads/1/3/0/7/130739385/5c672.pdf
    • http://noradragoon.com/uploads/1/3/0/2/130270906/fefuf.pdf
    • http://ankezimmermann.ca/uploads/1/3/0/5/130550833/130550833.html#inquisitor+40k+movie

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001fb1.bin
2e3131d4c997ac3c8805c8f8bc42ef13dfe5bf5228159114e5b2a17034fb7649		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FB1 6996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.