Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7f3ac38f171896f…

MALICIOUS

PDF

40.9 KB Authoring application: Adobe PDF Library 9.0
MD5: afdbe159d2d49d3e086bf9e37c7b6195 SHA-1: 5e166d5ab221c1638d482f864a39c06dcb9887a8 SHA-256: c7f3ac38f171896f310057fe73c4e1d3c11dc888bd68d5c3282aec32ec6acea6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO spam campaign. The ML classifier and ClamAV detection strongly support the malicious verdict. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nobupaloalto.devsite-1.com/uploads/1/3/0/6/130639744/mobofebilatedo.pdf
    • http://mytourphone.com/uploads/1/3/0/5/130588780/360d98e0ccff5.pdf
    • http://honleysamba.com/uploads/1/3/0/8/130814510/4984533.pdf
    • http://cloud-able.com/uploads/1/3/0/2/130288854/657cc.pdf
    • http://www.stephenbarradell.com/uploads/1/3/0/6/130621373/6862490.pdf
    • http://mx.touchpointtherapeutics.com/uploads/1/3/0/5/130539672/6231565.pdf
    • http://www.swaymyheart.com/uploads/1/3/0/4/130488265/958177.pdf
    • http://belindabucknell.com.au/uploads/1/3/0/5/130588468/dagewu_zupawub_zoketalanu_pevademazo.pdf
    • http://cbdsnacks.me/uploads/1/3/0/4/130476720/1465648.pdf
    • http://www.drandreawhelan.com/uploads/1/3/0/6/130620556/tuwel.pdf
    • http://jagfinancial.net/uploads/1/3/0/7/130775846/pujax-sezadawuv-wefofijure.pdf
    • http://www.jesschristinephotography.com/uploads/1/3/0/2/130288301/zimazugolifuma.pdf
    • http://bridgecrowdfund.com/uploads/1/3/0/2/130291592/kuloralat.pdf
    • http://www.nashvilletotalimage.com/uploads/1/3/0/6/130639221/bopixenik.pdf
    • http://medicinaeinformazione.it/uploads/1/3/1/0/131070062/a797672c.pdf
    • http://71-159-221-59.overtimefitness.com/uploads/1/3/0/5/130545429/130545429.html#sources+of+medieval+indian+history+literary
    • http://mytourphone.com/uploads/1/3/0/5/130

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000471a.bin
7f09e030897d1511a64b0f45811519a6ad79c7550946ff0f0ae5d9f12ea545e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x471A 7412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.