Malicious PDF — malware analysis report

Static analysis result for SHA-256 df7b8192d6c81286…

MALICIOUS

PDF

40.3 KB Authoring application: PDFedit
MD5: fb58e084c9d1c7200a85ec6a44a42721 SHA-1: ac0306b4c800e5cb767ce2a0e3ffcfaa0b70eb50 SHA-256: df7b8192d6c81286212b5fc64b5628c7ab2c65ec3b294525f5ae5fdfad42c471
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files hosted on various domains, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The document body is heavily obfuscated and does not provide clear user-facing text, but the heuristic firings are sufficient to determine the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://podollangpis.devsite-1.com/uploads/1/3/0/4/130476135/zomifariwu.pdf
    • http://runthedata.ca/uploads/1/3/0/6/130604048/voxusagevutipo-xepizifologo.pdf
    • http://thetranquilgoat.com/uploads/1/3/0/6/130621020/dijopiwolemut.pdf
    • http://kimmietownsend.com/uploads/1/3/0/3/130313145/bafuzuzejuju_bozovoxip_zedos.pdf
    • http://fisco24.com/uploads/1/3/0/4/130488412/afd3314ed135c.pdf
    • http://sittingtreefarm.com/uploads/1/3/0/2/130288506/korubirojipiti_bebeloxo.pdf
    • http://www.tlcpropertymaintenancellc.com/uploads/1/3/0/6/130620451/72ac142.pdf
    • http://operationcleanoutia.com/uploads/1/3/0/3/130312937/xoguji_getomabomufi.pdf
    • http://www.fresnocatering4u.com/uploads/1/3/0/2/130270873/xokulenu_zakunedeti_mikelenese.pdf
    • http://ideomedia.org/uploads/1/3/0/6/130604022/binuxaru.pdf
    • http://anarchyflags.com/uploads/1/3/0/7/130739396/7628005.pdf
    • http://oneokrock.net/uploads/1/3/0/5/130588796/dasaxakebimuwef-nunolunexakeso.pdf
    • http://www.duncandavis.com/uploads/1/3/0/7/130740522/derilukali.pdf
    • http://horace-the-big.pleasingfood.com/uploads/1/3/0/5/130542758/130542758.html#abecedario+manuscrita+mayuscula+y+minuscula
    • http://anarchyflags.com/uploads/1/3/0/7/130739396/762

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000434f.bin
cc67b42884fc1e917e404c8098394faa5fa5276d8acf34a4b6afd0972014d561		 pdf-font-stream PDF embedded font (sfnt) at offset 0x434F 9052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.