Malicious PDF — malware analysis report

Static analysis result for SHA-256 d466ea1fd91435cb…

MALICIOUS

PDF

75.3 KB Authoring application: pstoedit
MD5: 96eaaed08e80032dbcfa6c67f87ab8ce SHA-1: c1210e06935cc52ed6d4c4c2b906ae1a1bd17e52 SHA-256: d466ea1fd91435cb9e6fa0fb81ee38e9e2cbf7653d62ae5d9aec4675d03911ab
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by multiple heuristics, including a critical finding for a large external link farm and a ClamAV detection for 'Pdf.Phishing.TtraffRobotInstall'. The ML classifier also assigned a very high probability of maliciousness. The document body contains garbled text, indicating it is not intended for human consumption but rather to host numerous external links, likely for phishing or malware distribution. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://justshortribs.com/uploads/1/3/0/8/130814172/vuxiwekaxotutuf.pdf
    • http://pogranichnik.store/uploads/1/3/0/5/130545557/017c319a8bd5.pdf
    • http://thainsbook.com/uploads/1/3/0/8/130874010/viwep.pdf
    • http://richardsnyderbrownu.com/uploads/1/3/0/2/130289243/593286.pdf
    • http://appliedgerontology.org/uploads/1/3/0/5/130543665/3fd654.pdf
    • http://mercadopole.com/uploads/1/3/0/6/130603763/447065.pdf
    • http://joshgilmore.solutions/uploads/1/3/0/6/130604303/c2bca.pdf
    • http://womynrising.com/uploads/1/3/0/4/130435646/b6ecdd.pdf
    • http://mnalifestyleconnections.com/uploads/1/3/0/6/130621063/weroxigoniverozer.pdf
    • http://vegas-magic.com/uploads/1/3/0/5/130588670/zejamuxigoralog.pdf
    • http://viviantung.com/uploads/1/3/0/5/130550663/2180879.pdf
    • http://mx.passporttours.co.uk/uploads/1/3/0/6/130604126/degazow-gumomarezosobo.pdf
    • http://nwwriters.com/uploads/1/3/0/6/130621217/xosogaru-jevuka-miwofazefuxu-jifuzazatozu.pdf
    • http://abra-maquillos.com/uploads/1/3/0/8/130873736/sutamazosijov.pdf
    • http://teenaceclothing.com/uploads/1/3/0/5/130546657/9583333.pdf
    • http://packinaction.com/uploads/1/3/0/4/130483125/24923.pdf
    • http://www.elliescrayoncollective.com/uploads/1/3/0/3/130323210/rimura.pdf
    • http://jizhoudaoduchangcns.br3h.com/uploads/1/3/0/7/130775730/130775730.html#learn+javascript+visually+by+ivelin+demirov+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001c93.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C93 16036 bytes
font_01_sfnt_off000034ae.bin
fc893191e5fdd92c9d761c9ab08676f7af8bb9d09c52d3f67dc866a2b7a41764		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34AE 10068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.