Malicious PDF — malware analysis report

Static analysis result for SHA-256 d2b6c361b85542c2…

MALICIOUS

PDF

34.3 KB Authoring application: QPDF
MD5: b58a009009464f89bf87a86c8ab85f52 SHA-1: aba547b80f734863b452dcd7af23b3056c538f42 SHA-256: d2b6c361b85542c2f06b80cd6cf3f0542ea4a8b940113567311833df5db27aef
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document was flagged by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a machine learning classifier returned a high probability of maliciousness. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous external links, with the first identified as http://wearethepack.com/uploads/1/3/0/7/130739662/a6490fb561dca.pdf. This suggests the document's primary purpose is to lure users into clicking these links, likely leading to phishing pages or malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wearethepack.com/uploads/1/3/0/7/130739662/a6490fb561dca.pdf
    • http://www.flexihose.in/uploads/1/3/0/5/130590770/fumotewojonur-fedazunavitozok-kibuvavikuzi.pdf
    • http://essence-of-nature.com/uploads/1/3/0/3/130313082/09ac6a1a.pdf
    • http://empirepersonaltraining.com/uploads/1/3/0/4/130476255/fazamesetagenunasul.pdf
    • http://cawatercareers.com/uploads/1/3/0/6/130621901/gubura.pdf
    • http://xciii.org/uploads/1/3/0/2/130288430/85558e735.pdf
    • http://o2skinrenu.com/uploads/1/3/0/5/130551585/mizovewosodep_gegesabebape_vuzijo.pdf
    • http://reneesgourmetpizzeria.net/uploads/1/3/0/4/130483871/c36084bd8.pdf
    • http://lakesareaelectricinc.com/uploads/1/3/0/5/130543575/kejevegupev_kidakes_bejovatizolaros.pdf
    • http://nathannasbymusic.com/uploads/1/3/0/2/130288682/7532277.pdf
    • http://www.deweybookemhowe.ca/uploads/1/3/0/5/130538992/xojaxepuminun.pdf
    • http://illuminatedflowers.com/uploads/1/3/0/5/130589000/xuvemezovojemufujen.pdf
    • http://crownway.org/uploads/1/3/0/7/130739371/pubabit.pdf
    • http://enchantmentaesthetics.com/uploads/1/3/0/7/130739934/7165200.pdf
    • http://balmonline.com/uploads/1/3/0/5/130543995/d5f2b977.pdf
    • http://www.jryoheassociates.com/uploads/1/3/0/7/130739697/913799.pdf
    • http://thinkmundo.com/uploads/1/3/0/2/130291536/gotosi_junifes_dujinu_rukatenurodaxo.pdf
    • http://hostmaster.linda-daunter.uk/uploads/1/3/0/7/130776886/bagel.pdf
    • http://mustardseedboutiquemass.com/uploads/1/3/0/4/130476502/83e12f.pdf
    • http://scdelongsales.com/uploads/1/3/0/4/130488213/tekatilorakad_lifurev.pdf
    • http://februaryvioletseniors.com/uploads/1/3/0/7/130738962/4130182.pdf
    • http://nuobeijinghotel-chinese.devsite-1.com/uploads/1/3/0/2/130274305/abf67424a9a292e.pdf
    • http://www.spotlesscleaningexperts.com/uploads/1/3/0/6/130621387/dodapimimamugata.pdf
    • http://vps9-internal.pleasingfood.com/uploads/1/3/0/9/130968934/130968934.html#aspose+html+string+to+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000023d7.bin
bce81f521fe202ae34c332b526f39a781061f3509bec643d340ca2349975b35e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x23D7 7668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.