Malicious PDF — malware analysis report

Static analysis result for SHA-256 c838371b1d9bc6fe…

MALICIOUS

PDF

37.6 KB Authoring application: PDFedit
MD5: accbfac2e72044a73db5c7d873324cfd SHA-1: 868439982fc9ff85fd876bf950be719ad4c993c2 SHA-256: c838371b1d9bc6febafb665ab6364a71961c7c5f638d6597ba8be0b9d4410e58
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to other PDF files hosted on various domains, indicative of a link farm or redirection scheme. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', suggesting a phishing or traffic-generation purpose. The ML classifier also strongly flagged this as malicious. No scripts were extracted, but the sheer volume of external links points to a malicious distribution or redirection strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wyongequineclinic.com/uploads/1/3/0/6/130604977/zojanafobi.pdf
    • http://mjrich.net/uploads/1/3/0/4/130476122/jabibutezifogikoxu.pdf
    • http://jbdrendering.com/uploads/1/3/0/7/130775627/284227.pdf
    • http://webdisk.turningpointbaptistchurch.org/uploads/1/3/0/6/130620524/6981759.pdf
    • http://www.moonmojo.net/uploads/1/3/0/2/130272347/893842.pdf
    • http://amitypublishers.com/uploads/1/3/0/6/130639257/demijutanej_xopetobazulaz_suniw.pdf
    • http://metoomvntinfo.com/uploads/1/3/0/7/130740033/8918722.pdf
    • http://nrcm.com.au/uploads/1/3/0/4/130479312/5954519.pdf
    • http://slgmediagroup.com/uploads/1/3/0/7/130738719/8129358.pdf
    • http://gpufx.com/uploads/1/3/0/5/130550698/zakuxadala_pemano_meluxir.pdf
    • http://atlasbuy.net/uploads/1/3/0/6/130621304/16cc66d59f3b0.pdf
    • http://www.keithstruckstop.com/uploads/1/3/0/2/130272629/poxifulew.pdf
    • http://journeytosimplicity.org/uploads/1/3/0/6/130605084/5986839.pdf
    • http://sharpexteriors-ar.com/uploads/1/3/0/2/130291493/sukalepaterab.pdf
    • http://barrysherbals.com/uploads/1/3/0/5/130589409/kobuw.pdf
    • http://carolinaeast.live/uploads/1/3/0/7/130775590/movigeluxekej.pdf
    • http://kcgatorclub.com/uploads/1/3/0/2/130270945/zimujexol.pdf
    • http://reelectjudgeericshepperd.org/uploads/1/3/0/7/130775977/c6e2f39757bbc.pdf
    • http://prestomagictravel.voyagerwebsites.com/uploads/1/3/0/8/130874156/130874156.html#solving+inequalities+with+absolute+value+practice+problems
    • http://sharpexteriors-ar.com/uploads/1/3/0/2/130291493/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034c3.bin
118058b27557898eb1f159842ecc5f25173b6ec2b700aae45f3b8bb799b25f43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34C3 8176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.