Malicious PDF — malware analysis report

Static analysis result for SHA-256 deb1669a12fa1e1b…

MALICIOUS

PDF

55.4 KB Authoring application: Serif PagePlus
MD5: 1418eca5f2b6c474c39ff096bf3dbc57 SHA-1: c4c680c6480fc6bc31ca936280f4dc3c154a238b SHA-256: deb1669a12fa1e1b9884af5e6ba47edbb0dadac67e5850273cf2b1bd20f01800
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical finding for a PDF link farm and ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0. The document body contains numerous embedded URLs, suggesting a phishing or traffic-driving campaign. The primary attack pattern involves leveraging these links to redirect users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.resusmed.com/wp-content/uploads/2018/10/Bradycardia-IBCC-Final.mp3\(back
    • http://massageinscottsdale.com/uploads/1/3/0/7/130739991/nofutafe.pdf
    • http://www.skycatdesigns.com/uploads/1/3/0/4/130483903/f8efc4e.pdf
    • http://qgility.com/uploads/1/3/0/6/130604560/xivojur-verobuvevexudat-dezexoniban.pdf
    • http://adrianbyrdcounseling.com/uploads/1/3/0/6/130604013/xadoxadar-pomukigog-moziweto.pdf
    • http://nationalparking.org/uploads/1/3/0/2/130270743/c26ae.pdf
    • http://jaclynkaloczi.com/uploads/1/3/0/6/130620892/475b8.pdf
    • http://mikhaelfarah.com/uploads/1/3/0/5/130550750/xosolukemabujisaro.pdf
    • http://evivatour.net/uploads/1/3/0/7/130739699/9621817.pdf
    • http://khatibenergy.com/uploads/1/3/0/7/130738762/kibakepipiriz.pdf
    • http://meroveo-officedistribution.store/uploads/1/3/0/5/130543207/pefapar.pdf
    • http://ololparish.org/uploads/1/3/0/6/130639038/9088763.pdf
    • http://www.zenwatercompany.com/uploads/1/3/0/4/130490250/e70f6c504.pdf
    • http://everydaylivingsolutions.net/uploads/1/3/0/3/130313263/vagibizekakides.pdf
    • http://voejapao.com/uploads/1/3/0/3/130313081/xaxigobarinuxumodo.pdf
    • http://campconcordia.net/uploads/1/3/0/4/130483125/d4a56ba5.pdf
    • http://mafamillecenla.net/uploads/1/3/0/3/130313572/pizarivegipisetup.pdf
    • http://gtarealestate.forsale/uploads/1/3/0/6/130621487/f96dd083a726.pdf
    • http://nobubarcelona-emea-cat.devsite-1.com/uploads/1/3/0/2/130271157/130271157.html#bradycardia+algorithm+resus

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001238.bin
0fdcf996303286ebd8c9bf1efa39f941d9f6d21b3e774bdf83808457c058bbbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1238 8840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.