Malicious PDF — malware analysis report

Static analysis result for SHA-256 d10bc255b24adbbb…

MALICIOUS

PDF

37.0 KB Authoring application: Pdftk
MD5: 250f8227c20122f7b5841d78e2b4102a SHA-1: b9bb1c867cfda82519fe30e9e25a70ea58ac077a SHA-256: d10bc255b24adbbb38823d96523b2455c9caa6d62c1a0ee25f54710f4a32914c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical ClamAV detection for 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a critical PDF_SEO_LINK_FARM rule. This indicates the document's primary purpose is to host a large number of external links, likely to manipulate search engine results or distribute malicious content. The ML classifier also strongly indicated maliciousness. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blzzr.com/uploads/1/3/0/4/130483325/negogefo.pdf
    • https://putolibavusok.weebly.com/uploads/1/3/0/6/130604153/gudenifuxamesapis.pdf
    • http://wigoketek.jila12.ru/uploads/2020/01/27/wesan-bewunejomexafe.pdf
    • http://tegiferi.ourverify.com/uploads/2020/01/27/6fc10c.pdf
    • http://miss-nelson.com/uploads/1/3/0/6/130604864/5cc2526c969d1b9.pdf
    • http://theekklesiacenter.com/uploads/1/3/0/6/130604536/gopupe.pdf
    • http://masterlibrary-staging.com/uploads/1/3/0/5/130589354/godutuf.pdf
    • http://gilbertjacksongroup.com/uploads/1/3/0/5/130588487/xizunoleneredux-vivukepa-sixewofukozowok.pdf
    • http://ollslmc.weebly.com/uploads/1/3/0/4/130483309/luwelokuzi.pdf
    • http://lichnii-kabinet.online/uploads/2020/01/29/gogamolenimuf.pdf
    • http://mat.djpschool.com/uploads/2020/01/28/ec7ca759.pdf
    • http://theskinnhaven.com/uploads/1/3/0/5/130590164/julozarik.pdf
    • http://luckycoinproductions.ca/uploads/1/3/0/6/130621402/mogelefixumoxu_wixovo.pdf
    • http://performx.shop/uploads/1/3/0/3/130313466/11af6862.pdf
    • http://alexandermgmtnyc.com/uploads/1/3/0/4/130476068/4b24df4b76a4b6.pdf
    • http://dilutebuso.funblog.online/uploads/2020/01/27/sevulamiworopev-labivekoxopur-xetegosebos-faxiko.pdf
    • http://vidyavara.com/uploads/1/3/0/5/130538939/951334.pdf
    • http://moir.se/uploads/1/3/0/6/130621055/00a1ca24.pdf
    • http://pelathan.com/uploads/1/3/0/4/130479570/mivup.pdf
    • http://mynaturalhairspa.com/uploads/1/3/0/6/130620606/130620606.html#corporations+law+in+principle+10th+e

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000156b.bin
5b3d585044a1a946e2c8e0337b6f63e986d1e8ca6f900be45fe681dc779373f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x156B 7616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.