Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb666802a850e708…

MALICIOUS

PDF

33.6 KB Authoring application: Adobe PDF Library 9.0
MD5: 2c4540c6ecf3fbf475dacce202891a73 SHA-1: aeadbfecd5f2f5d1ce784e375920771cc4f79130 SHA-256: cb666802a850e708a8cbf61479b2e58759ffaf3c52ac0940880525d33e21ce97
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also indicate maliciousness. The embedded links likely serve to direct traffic to other malicious or phishing sites, or to inflate SEO metrics for compromised domains. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theatrestudentunion.com/uploads/1/3/0/3/130379232/6698975.pdf
    • http://doggybagbakery.com/uploads/1/3/0/4/130483866/pofobovewobokiv_potefupikivazot_nedusud_tosaxidubama.pdf
    • http://jumpingpaws.net/uploads/1/3/0/7/130739263/bozebilet.pdf
    • http://taranakitimebank.nz/uploads/1/3/0/4/130488270/5618561.pdf
    • http://yoanstudio.com/uploads/1/3/0/4/130476102/zapiwa_sibotomam_wakizozekomulil.pdf
    • http://pigoal.com/uploads/1/3/0/3/130313649/ponukoguxu-kukaradexuvonaz-dedeli.pdf
    • http://neasoto.com/uploads/1/3/0/2/130272328/a86c3c868f.pdf
    • http://thekeywithlt.com/uploads/1/3/0/4/130435777/c478904df6f82.pdf
    • http://juliejesternewman.com/uploads/1/3/0/7/130739278/130739278.html#dancing+queen+mamma+mia+lyrics+video

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001244.bin
9c786a2307f074627c1388f603fc3be3f13e3205118b8493f4e158153cee2823		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1244 8932 bytes
font_01_sfnt_off000047de.bin
83d89f79375f7f339e88070a8779324ce221c94923bff415e388e162fbc46cfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47DE 2604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.