Malicious PDF — malware analysis report

Static analysis result for SHA-256 db9630270b946132…

MALICIOUS

PDF

33.9 KB Authoring application: Poppler-utils
MD5: d63e0588162edc3ea757ded533b37221 SHA-1: 00ff1f15ad15ab741cd0dad903c533279dccdd57 SHA-256: db9630270b946132e86dbfeed1b001d8b1cfc95d3b63b43484475d1421c49676
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many pointing to PDF files hosted on various domains, suggesting a link farm for phishing or malware distribution. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The document body, though heavily obfuscated, contains references to 'Awake streaming vf' and lists numerous URLs, reinforcing the phishing lure. The primary attack pattern involves directing users to download further malicious content disguised as video streaming or identity verification pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vixofijitobe.weebly.com/uploads/1/3/0/3/130379314/fibolizoxunamasut.pdf
    • http://myenterpriseinc.com/uploads/1/3/0/5/130590525/nasosan.pdf
    • http://taunsighald.dk/uploads/1/3/0/2/130270777/loduwinomapotu.pdf
    • http://woodsp.ru/uploads/2020/01/28/f3414c.pdf
    • https://gerevoxenuwubus.weebly.com/uploads/1/3/0/3/130313643/245a36.pdf
    • http://kaz.metin27d.com/uploads/2020/01/28/sotemuwop-wafodovukipeziv.pdf
    • http://michaudwellness.com/uploads/1/3/0/6/130639681/130639681.html#awake+streaming+vf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000110e.bin
ab4c7c15c5c6f71c4d6804e8014bdb543d77be14a0593b7e27e14fec635bbfa4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110E 9000 bytes
font_01_sfnt_off00004409.bin
570e54646e1d5c83cc71835b6607959b0c1be8b6882bf4a1d596e9cc329702e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4409 4504 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.