Malicious PDF — malware analysis report

Static analysis result for SHA-256 df1d500a0ecb4b28…

MALICIOUS

PDF

35.3 KB Authoring application: Poppler-utils
MD5: fcee0b8642dd4a356e4bb91b480c1d0d SHA-1: 14510a49384511caab3df8163b7c9fd25dc9c9c1 SHA-256: df1d500a0ecb4b2849ec4f96568ec0962fde89a62a74e455af4f3f0a545aedea
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a machine learning classifier returned a high probability of maliciousness. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous external links, suggesting a phishing or redirection attempt. The document body is heavily obfuscated and unreadable, providing no further context on the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.tamesmusic.com/uploads/1/3/0/8/130813770/2373081.pdf
    • http://mindfulnessforeveryone.com/uploads/1/3/0/2/130288893/batuvavom.pdf
    • http://mrsindler.com/uploads/1/3/0/3/130313358/086d5.pdf
    • http://www.riveroflifeworship.com/uploads/1/3/0/7/130776022/kujugidu_nigajin_gubobifadafus.pdf
    • http://healthybonepoints.org/uploads/1/3/0/5/130588618/09827d43cd4d9b2.pdf
    • http://crestoncommunitygardens.org/uploads/1/3/0/6/130639971/a6f16.pdf
    • http://ladyslaycast.com/uploads/1/3/0/5/130551859/bitudifejuxor.pdf
    • http://vivianscrown.com/uploads/1/3/0/5/130551310/raxotusu.pdf
    • http://desertliliesbazaar.com/uploads/1/3/0/3/130313194/danudiga.pdf
    • http://garryandjen.com/uploads/1/3/0/6/130603724/3684639.pdf
    • http://msrhondajwilliams.com/uploads/1/3/0/2/130288399/5896031.pdf
    • http://digitalsugar.net/uploads/1/3/0/6/130639926/be65c87e815.pdf
    • http://www.triviastickers.com/uploads/1/3/0/5/130539046/b7a5d92e82e6ade.pdf
    • http://n4rm3a.salon225.com/uploads/1/3/0/3/130379429/130379429.html#cam+hip+impingement+arthroscopy

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003196.bin
8aa9ce8f7c5b3b3e58b3f5090c1325d7d4511383b6c88c3481bb31cd7fbe9f6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3196 7952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.