Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5a99f20fdee8147…

MALICIOUS

PDF

28.2 KB Authoring application: Nitro PDF
MD5: bac8a17d48df8e5a94df52b8dcd01e88 SHA-1: 4fb8c4a55a77dce45380108eb7313efe9e93a73d SHA-256: e5a99f20fdee8147ff3e3bc3029f2bdea257c18ed2c55f105537a1b9880eeaa3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple heuristics, including a critical finding for a large number of external PDF links, suggesting a link farm. ClamAV identified it as Pdf.Phishing.TtraffRobotInstall-7605656-0. The embedded URLs point to various domains, many of which are likely used for distributing malicious content or phishing. The document body contains fragmented text related to 'Bernina bernette 50 instruction manual', which appears to be a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://harveyjettmusic.com/uploads/1/3/0/6/130621353/xojalef-foxewigavifaz-golojapebafowu.pdf
    • http://wezafukib.vipiska-egrn-besplatno.icu/uploads/2020/01/29/9837164.pdf
    • http://minnesotainvestmentproperty.com/uploads/1/3/0/6/130603851/6715e8c86193.pdf
    • https://xezududizuj.weebly.com/uploads/1/3/0/5/130588548/zodurokesuxixa-goxoganuwefati.pdf
    • http://mew3mew.studio/uploads/1/3/0/5/130543771/xapumakatil_nexedarebad_wafuwoso_limabiz.pdf
    • http://therandytravisfoundation.org/uploads/1/3/0/4/130476697/sefobazufimofux.pdf
    • http://alternative-vaping.com/uploads/1/3/0/5/130539182/torexa.pdf
    • https://mezuzubedikul.weebly.com/uploads/1/3/0/3/130323403/e7cdc2.pdf
    • http://theelfbox.com/uploads/1/3/0/5/130539054/130539054.html#bernina+bernette+50+instruction+manual

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011e0.bin
fd9fe5392d52c4559941a75a7fdfbab4381a96ded8e0e40fae950861bf4e3e2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E0 7112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.