Malicious PDF — malware analysis report

Static analysis result for SHA-256 d60e8f9fdcd710aa…

MALICIOUS

PDF

56.7 KB Authoring application: QPDF
MD5: c8c75a7ef6cc7bbbe23d0d1770b833f3 SHA-1: 060fb3618dbd1ce221639b43c14915399b58a180 SHA-256: d60e8f9fdcd710aacb3c7928f69f908aa446550d4c6d43287a6e3093ad53562f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a machine learning classifier with high confidence. A critical heuristic identified it as a PDF link farm containing multiple external PDF links. The document body contains text related to pickle recipes, which appears to be a lure to disguise the malicious nature of the PDF. The primary attack pattern involves redirecting users to other malicious PDF files hosted on various domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nordicwalkinglondon.com/uploads/1/3/0/4/130436258/1399456.pdf
    • http://nawebworks.co.uk/uploads/1/3/0/4/130435701/kegonimug-dodogupana-zamotikonefos-ravugit.pdf
    • http://nationalarchivesphotographer.com/uploads/1/3/0/6/130620804/tusurofekozebum.pdf
    • http://allergy.mediutopia.com/uploads/1/3/0/4/130483872/130483872.html#aam+ka+khatta+meetha+achar

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001027.bin
bf5f4bc81e6db301f421cd2712c20fecbea66ca5d4f370c29bf9d4ec5f86772f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1027 8772 bytes
font_01_sfnt_off00007f5f.bin
0e32f3e0d3e75d45dc9ed28b2f2940cc30e9932afea10ee01a345dd9045f9234		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F5F 9668 bytes
font_02_sfnt_off00009859.bin
0f23141ba94d37b49c53016ac63a9b008a6ac8e4c4656a8d80e6725f77750189		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9859 16140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.