Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb25917a34f284f0…

MALICIOUS

PDF

39.9 KB Authoring application: SWFTools
MD5: 00b20bd6f068d6ddbf360e1ed837ccf8 SHA-1: 1d1bb381d874fd0c5fc024cae15f999d7bd5abc3 SHA-256: cb25917a34f284f0ec51ee1b686c563a3ce9f55785d2d95fdeda92bb350f18ef
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This technique is commonly used for SEO poisoning or to redirect users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stephenknighttattoo.com/uploads/1/3/0/5/130550879/donibaxijud.pdf
    • http://moannasworkroominteriorsandstaging.com/uploads/1/3/0/5/130590622/ritoxobusidax.pdf
    • http://beaconbeerco.com/uploads/1/3/0/6/130621794/703ec2c66f6.pdf
    • http://chargehealth.org/uploads/1/3/0/6/130604429/tekewojiwex.pdf
    • http://shipfree.me/uploads/1/3/0/5/130589122/dad4790c84.pdf
    • http://connectionsthruart.com/uploads/1/3/0/5/130588187/1797587.pdf
    • http://mystarcleaner.com/uploads/1/3/0/2/130288379/356195.pdf
    • http://mrfriedliclass.com/uploads/1/3/0/2/130289262/bijaru-keviwa-xukededojidu.pdf
    • http://biscuiteering.com/uploads/1/3/0/5/130588721/531146.pdf
    • http://mangocitrus.ca/uploads/1/3/0/6/130603760/vewagilisofumolemis.pdf
    • http://skipcoryell.com/uploads/1/3/0/5/130539412/0f19681874865f.pdf
    • http://moldyold.com/uploads/1/3/0/6/130621156/6e2ec17.pdf
    • http://miracleinabucket.com/uploads/1/3/0/4/130490277/130490277.html#sample+of+application+letter+for+volunteer+work

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014bd.bin
f013e91b30f65229c88350c5ec8916f6dda8951cf044122af413d3fc51139f41		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14BD 8448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.