Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf39e53350dd5c41…

MALICIOUS

PDF

47.0 KB Authoring application: PDF Studio
MD5: 1cbd18870005b99dff2e8d63a1acb143 SHA-1: 20d3493a4d47afe8fcd816059106c62b1802b1cb SHA-256: cf39e53350dd5c41b30b12f3d31b9a46b587227251cd59b2aa1e376b39515844
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links to other PDF files hosted on various domains, indicating a link farm or redirection strategy. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' and the ML classifier score strongly suggest malicious intent. The embedded URLs are the primary indicators of compromise, likely serving as lures for phishing or malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mylatestfavoritething.com/uploads/2020/01/29/774031.pdf
    • http://tuneintohealing.com/uploads/1/3/0/6/130621382/walifubedutaz-riwamowoledutex-soxisaforamobok-rixafuzapokeke.pdf
    • http://pagesdale.com/uploads/1/3/0/6/130604213/1513218.pdf
    • http://redlinexcavating.com/uploads/1/3/0/6/130639652/9585169.pdf
    • http://rockthecatspa.biz/uploads/1/3/0/5/130590564/130590564.html#soil+temperature+for+planting+vegeta

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000108e.bin
243b983eb8a63b788752876724c882488fc42f696bc891081f23aea73f668b02		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108E 8540 bytes
font_01_sfnt_off00007111.bin
d12e1945699adc080c3e2f49a2c45ee9a70cbb178c18d882f92367fcd923f800		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7111 16396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.