Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5a501f2c66d578f…

MALICIOUS

PDF

31.1 KB Authoring application: Mobipocket Creator First seen: 2020-09-04
MD5: b58f8f4664b969b1cf3db5b14de64bb8 SHA-1: fceef92668af8ebd199e1b4e22bce9446cdf5b80 SHA-256: d5a501f2c66d578fec4a5e0a8cf2d5a3a031d097d607011a573f0464c6052560
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0 and a machine learning classifier with high confidence. The critical heuristic PDF_SEO_LINK_FARM indicates the presence of a large number of external links, with the primary domain being bestsatoha.xyz. This suggests the document is designed to lure users to external sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bestsatoha.xyz/uploads/2020/01/29/38e590c421de.pdf In PDF document text
    • http://oddlyspecificshirts.com/uploads/1/3/0/4/130490218/xagara.pdfIn PDF document text
    • http://baarleproeft.com/uploads/1/3/0/6/130639934/7156306.pdfIn PDF document text
    • http://tetiana.net/uploads/1/3/0/4/130488213/1090623.pdfIn PDF document text
    • http://shelbycolgan.com/uploads/1/3/0/6/130620266/vidike_belagafifeni.pdfIn PDF document text
    • http://loneezyvisionz.com/uploads/1/3/0/6/130620441/a2e6ba7ef.pdfIn PDF document text
    • http://newyearsknockout.com/uploads/1/3/0/6/130639831/2956416.pdfIn PDF document text
    • http://dimattiadesigns.com/uploads/1/3/0/2/130271001/posunekirumonipi.pdfIn PDF document text
    • http://clarkseedsllc.com/uploads/1/3/0/6/130605254/4377981.pdfIn PDF document text
    • http://serpboards.com/uploads/1/3/0/2/130272640/886011.pdfIn PDF document text
    • http://northstarpropertiesct.com/uploads/1/3/0/2/130271185/130271185.html#protagonist+and+antagonist+worksheetIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001320.bin
256f9a49b6db6f9b8e8a3253f64254c43d0edd711433f1b82f8bcfc8ca11b694		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1320 7124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.