Malicious PDF — malware analysis report

Static analysis result for SHA-256 d63772389e3b0031…

MALICIOUS

PDF

40.1 KB Authoring application: Pdftk
MD5: c93164350270167740776e3daebe137b SHA-1: d90d9bf03f8609ab70022120adabb8936c29873f SHA-256: d63772389e3b0031681deaa19e629dc3425ba8f08d6e2701439c0ed875a03a05
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by multiple heuristics, including a critical PDF_SEO_LINK_FARM alert and ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0. The document body contains garbled text, but the embedded URLs and the PDF_SEO_LINK_FARM heuristic indicate a likely phishing or malware distribution scheme. The numerous external links point to a coordinated effort to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://2ourhealth.net/uploads/1/3/0/4/130476403/9350173.pdf
    • http://bookandtableinn.com/uploads/1/3/0/2/130288456/dumixajojosadobig.pdf
    • http://newrichmondoh.org/uploads/1/3/0/6/130603852/21ec8e588dd01f.pdf
    • http://dartmouthmountaineering.org/uploads/1/3/0/4/130435850/2413450.pdf
    • http://bonniesthlm.com/uploads/1/3/0/5/130550708/6817553.pdf
    • https://manupezali.weebly.com/uploads/1/3/0/3/130313173/d1d9f.pdf
    • http://surfergirl.us/uploads/1/3/0/3/130323453/da1d55c09.pdf
    • http://draamasalo.com/uploads/1/3/0/4/130483200/1271808.pdf
    • http://stevenrobinsonmusic.com/uploads/1/3/0/5/130590558/nipen.pdf
    • https://zorenexogopaxen.weebly.com/uploads/1/3/0/2/130272348/a8dbc71.pdf
    • https://ruzozilesu.weebly.com/uploads/1/3/0/2/130270781/duwizugajadovev.pdf
    • http://theknowledgewarriors.com/uploads/1/3/0/6/130604077/8176695.pdf
    • http://sheriffproperties.com/uploads/1/3/0/5/130546333/vaxesonemologegefo.pdf
    • http://nordcel.com/uploads/1/3/0/2/130288939/rupugoj.pdf
    • http://nileshsp.com/uploads/1/3/0/5/130544136/pegus.pdf
    • http://myabloomstore.com/uploads/1/3/0/5/130540282/nemevaziki-gosuvaperadosid.pdf
    • http://mebel.debit-kredit.ru/uploads/2020/01/29/2290906.pdf
    • http://djdbaker.com/uploads/1/3/0/5/130551675/vidunotuka.pdf
    • http://pubabali.marine-ballet.ru/uploads/2020/01/29/c37e25b5389.pdf
    • http://nowbiz.net/uploads/1/3/0/6/130639885/zadekalunase.pdf
    • http://nobookingfee.org/uploads/1/3/0/4/130483265/fenapolaserag_wupanafijul_sizarik_gumafaduzozob.pdf
    • http://artofhostingns.ca/uploads/1/3/0/5/130550665/130550665.html#cahier+des+charges+pour+d%C3%A9veloppement+informatique

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000166e.bin
702bbadb510caf793d1454dac2579b51237d1f92c1dbe0fff6a185cbb2ab9c2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x166E 9924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.