PDF malware analysis — malicious · d72a9154085eedef

MALICIOUS

PDF

46.1 KB Authoring application: Nitro PDF

MD5: 8161b103521b7291e729febbd5737deb SHA-1: 9ede0a363051d1eae62cf4845662282ee0e7e1d3 SHA-256: d72a9154085eedeff57618439258ba6eed8db45dc8825ab5a1742b4ab992fd11

128 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or malicious redirection attempt. The ClamAV detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the malicious nature of the document. The presence of a visual download button also indicates a lure to encourage user interaction with the malicious links.

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://civilwarlady.org/uploads/1/3/0/3/130313345/559709a8e81f.pdf
- http://qiiqgroup.com/uploads/1/3/0/3/130379194/668480.pdf
- http://buildclicks.com/uploads/1/3/0/4/130488312/novomufot.pdf
- http://www.presson-products.com/uploads/1/3/0/2/130270991/nexomavu_temitapelorime_bizotoz.pdf
- http://magicalcryptofriends.org/uploads/1/3/0/3/130323097/figafuxilalidu.pdf
- http://mind4age.com/uploads/1/3/0/6/130605438/7611817.pdf
- http://merrycollections.com/uploads/1/3/0/4/130476322/kerodafik.pdf
- http://www.ktsky1.com/uploads/1/3/0/6/130604982/e0f44.pdf
- http://karenjrohrlach.com/uploads/1/3/0/7/130776197/nesopujotejifiva.pdf
- http://fby4.com/uploads/1/3/0/6/130639750/xiwikojonifaxe.pdf
- http://jakebrenneise.org/uploads/1/3/0/4/130478438/4595773.pdf
- http://memoirsofatechnocrat.com/uploads/1/3/0/2/130289204/b6f099a21fc9810.pdf
- http://doorrushfour20.com/uploads/1/3/0/6/130604355/1740832.pdf
- http://zenithenergy.com.au/uploads/1/3/0/4/130476317/201133.pdf
- http://adagedanceanddrama.com/uploads/1/3/0/7/130775374/3248742.pdf
- http://globalcompubot.com/uploads/1/3/0/6/130604248/wutiruvedudeguroxa.pdf
- http://www.pludarts.com/uploads/1/3/0/7/130739947/pexufurib.pdf
- http://yoursoulswork.com/uploads/1/3/0/6/130621838/tiwelil.pdf
- http://www.correctiontech.com/uploads/1/3/0/5/130589264/kasareboluwub.pdf
- http://activopulse.com/uploads/1/3/0/2/130270956/b8c3bf72c250b1c.pdf
- http://visionartanddesign.com/uploads/1/3/0/8/130873915/453743.pdf
- http://paulleicht.com/uploads/1/3/0/5/130546243/fd2bb6ea71.pdf
- http://ume.bh/uploads/1/3/0/6/130621011/povurubasalara.pdf
- http://aldensuites.devsite-1.com/uploads/1/3/0/6/130603966/130603966.html#turntable+alignment+protractor+pdf
- http://magicalcryptofriends.org/uploads/1/3/0/3/13032309

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000039ea.bin` `f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x39EA	16204 bytes
`font_01_sfnt_off000051de.bin` `4890ad1a084e26e1c55d0ae93b3420ea7d41332c2c31da225f97005c67e257fc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x51DE	8168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.