Malicious PDF — malware analysis report

Static analysis result for SHA-256 e3ffdb6e21fa4614…

MALICIOUS

PDF

29.3 KB Authoring application: pstoedit
MD5: a8cb807da039fdd31d6f60ff857a9843 SHA-1: 4a266e151463aec6c6ddb0063ccdfcc35ab034dc SHA-256: e3ffdb6e21fa4614fae6f2af3566ab692c8e2eb0d0ddd1a7a79f4693c7fc9ee7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0. The document body and embedded artifacts reveal a large number of external URLs, indicating a likely phishing or link-farming attack. The primary intent appears to be directing users to potentially malicious external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://melissathornephysio.com/uploads/1/3/0/6/130621741/5805364.pdf
    • http://fulalalil.evroplast92.ru/uploads/2020/01/28/ruginoj-zezuriwi-retupidofisagek-wekote.pdf
    • http://analogi.us/uploads/1/3/0/6/130621431/zotugofejumu.pdf
    • http://zarab4u.online/uploads/2020/01/28/b65d7402a2.pdf
    • http://xelovo.campolasalina.com/uploads/2020/01/27/e4ae6c0197d.pdf
    • http://lilmissrealtor.com/uploads/1/3/0/6/130620962/fojamekumosakiw.pdf
    • https://kuzibadufawut.weebly.com/uploads/1/3/0/2/130288630/600cdd722.pdf
    • https://giwefekewid.weebly.com/uploads/1/3/0/2/130270991/witasuxibonox_wuxumekaf_zonalajug.pdf
    • http://jtbeidencharles.com/uploads/1/3/0/5/130539797/xebag.pdf
    • http://norledgemaths.weebly.com/uploads/1/3/0/4/130477245/b95b71e1e3d8805.pdf
    • http://mimofopur.cosmuslug.com/uploads/2020/01/27/dutekabexosoz.pdf
    • https://deparazo.weebly.com/uploads/1/3/0/5/130550874/664d1.pdf
    • http://banquinhoeviolao.site/uploads/2020/01/27/sipufeso.pdf
    • http://zambiasafarihunting.com/uploads/1/3/0/6/130603761/130603761.html#android+action+bar+example+github

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ee.bin
439e1e2bc3f19e88f3f5d7ce356028d899ec92db2878ad8be206a0064aeaf3b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12EE 7008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.