Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc0a396947783a52…

MALICIOUS

PDF

34.1 KB Authoring application: PDFBox
MD5: efbc207db7244e7f9b6a202907a8c6ee SHA-1: 0c51195adebbbbfd5b2b335bd60f52cadc166aa7 SHA-256: cc0a396947783a523cadf6ce66996c8599c8cab2edd5daede3e0d6653062b52c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO poisoning or distributing malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent. No scripts were extracted from this sample, but the sheer volume of outbound links suggests a coordinated effort to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://www.codeply.com/go/SkIJQ5LqK
    • http://fr.sabinetobback.be/uploads/1/3/0/4/130435650/7acf83edac6e825.pdf
    • http://www.assistancebutton.com/uploads/1/3/0/4/130435721/5548777.pdf
    • http://manpinc.org/uploads/1/3/0/5/130543772/9c40473ec392e.pdf
    • http://www.simplybookkeeping.co.uk/uploads/1/3/0/5/130545537/7558737.pdf
    • http://www.astralpics.com/uploads/1/3/0/4/130488583/38b6a0.pdf
    • http://clarinetrepairs.org/uploads/1/3/0/6/130639061/42f4f83d58f62.pdf
    • http://bergeronauto.biz/uploads/1/3/0/4/130483617/88296.pdf
    • http://villamklima.com/uploads/1/3/0/6/130639131/5067404.pdf
    • http://beyond360media.com/uploads/1/3/0/5/130543377/6774443.pdf
    • http://funafutimovie.com/uploads/1/3/0/5/130544625/5059006.pdf
    • http://luckyeyesband.com/uploads/1/3/0/5/130542875/21a68561f9.pdf
    • http://byromtakeout.com/uploads/1/3/0/5/130590058/9991039.pdf
    • http://uniabuja-alumni.com/uploads/1/3/0/6/130639199/kokiwomemojopet.pdf
    • http://aquinasenglish.com/uploads/1/3/0/7/130776865/6217347.pdf
    • http://moneynerd.net/uploads/1/3/0/6/130621744/4295982.pdf
    • http://symbolforschung.net/uploads/1/3/0/5/130589302/9390668.pdf
    • http://legacyandalchemy.net/uploads/1/3/0/3/130379199/6135290.pdf
    • http://naka-g.creps-inc.jp/uploads/1/3/0/4/130476556/givexuvovetedazalev.pdf
    • http://www.commercialcompliance.com/uploads/1/3/0/8/130813860/fimun-fabofatunagitu-luzovuriz-bixasagosuzix.pdf
    • http://jordansummers.net/uploads/1/3/0/5/130539783/xesez-nolaralajisila-tefer-fufin.pdf
    • http://millennialtraveleats.com/uploads/1/3/0/5/130539553/b04ddeccc60b4f.pdf
    • http://alphaleadconsulting.com/uploads/1/3/0/5/130540266/2521299.pdf
    • http://dev2design.com/uploads/1/3/0/3/130324248/wafabulujiro.pdf
    • http://undertheoaktravelllc.voyagerwebsites.com/uploads/1/3/0/5/130590157/130590157.html#file+upload+button+bootstrap+4
    • http://www.astralpics.com/upload

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000022b2.bin
2399f7c18e3c7d52ca768e5bdf539c9e9a5baff8a14a466240daa8fe36588fbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22B2 7852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.