Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf836439aec8fcfb…

MALICIOUS

PDF

38.2 KB Authoring application: PDF Studio
MD5: a1b7bd7d53baee5b3277052e6b999bd7 SHA-1: c6db2e36c13ae74c5dd7bc40cb4613c9fbe65fa5 SHA-256: cf836439aec8fcfb0998b8b44d985cbda365f8fad012f4bcd14bf6185fe667ce
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The document body is heavily obfuscated and does not provide clear textual lures.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://brilliantautoreflections.com/uploads/1/3/0/7/130776630/meseroto_rilapejaf_gujonuxokuxul_xirosir.pdf
    • http://weproudlybrewstarbucks.net/uploads/1/3/0/6/130604644/pasejosu.pdf
    • http://onamishon.com/uploads/1/3/0/5/130543074/vupatudas.pdf
    • http://quakestudentconferences.net/uploads/1/3/0/4/130435826/lejiviz_putog.pdf
    • http://nexgenmarketingagency.com/uploads/1/3/0/3/130324350/8013310.pdf
    • http://stewarthousecommunitysupportservices.org/uploads/1/3/0/6/130621663/aa69d222eb5b.pdf
    • http://www.themindfulmillennial.space/uploads/1/3/0/6/130620892/zinokewixekemu.pdf
    • http://3mtruedefinitionlab.com/uploads/1/3/0/5/130588616/wukewugusib.pdf
    • http://www.cdteachers.com/uploads/1/3/0/5/130590076/lexilode.pdf
    • http://pantsbysamstore.com/uploads/1/3/0/7/130740195/6360342.pdf
    • http://howtosoul.com/uploads/1/3/0/7/130738596/df90c1e18e942f.pdf
    • http://grobins.org/uploads/1/3/0/2/130270747/a41a3badaf982.pdf
    • http://biblewitnessministries.com/uploads/1/3/0/5/130588951/rudifugakirilek.pdf
    • http://synthetics78.com/uploads/1/3/0/6/130620194/9485830.pdf
    • http://kootenaycured.com/uploads/1/3/0/6/130621714/2302318.pdf
    • http://moneytipmonday.com/uploads/1/3/0/6/130639534/kolejaputagum_zomulajixitinin_likudifo_foramegaxaxeg.pdf
    • http://merelytenacity.com/uploads/1/3/0/5/130588349/4366827.pdf
    • http://sainttheresacatholicchurch.com/uploads/1/3/0/5/130541624/ff21fd.pdf
    • http://purplestore.net/uploads/1/3/0/7/130739686/vifitizodil.pdf
    • http://portergames.net/uploads/1/3/0/7/130775772/pilasusidalaner.pdf
    • http://chadwickbrown.com/uploads/1/3/0/6/130605335/vaxonajaxudobej_topidat_lobosepof_tidadufetukivom.pdf
    • http://sweetwaternetworks.com/uploads/1/3/0/6/130639578/muzivasaba-zezisujob.pdf
    • http://lawtonfirstnaz.com/uploads/1/3/0/2/130270985/1021310.pdf
    • http://beingself-centered.com/uploads/1/3/0/5/130539022/130539022.html#cat+3512+diesel+engine+specifications
    • http://biblewitnessministrie

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002fe8.bin
de5ad281886bc09a4a68c87f7a1e671ec58be4e1f8fc1fc4f0872714d24bc60c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2FE8 8696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.