Malicious PDF — malware analysis report

Static analysis result for SHA-256 e602ea91b516303e…

MALICIOUS

PDF

37.1 KB Authoring application: pstoedit
MD5: 0c9bdd3c322669705d740115172a6d75 SHA-1: 440703514d47a2dcddb492b4e3c4d40dd02b3f2a SHA-256: e602ea91b516303e03931fff3a5b63cd4784dde0216f4c3f2f0e1c4adb210ea1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified as a 'link farm' by the PDF_SEO_LINK_FARM heuristic. This suggests the document's primary purpose is to redirect users to other sites, potentially for SEO manipulation or to serve as a distribution point for further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent related to traffic redirection or phishing. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cpanel.footballernow.com/uploads/1/3/0/5/130551935/eaa1d056171be0.pdf
    • http://zenergieconseil.com/uploads/1/3/0/3/130323130/33c69aa64142a.pdf
    • http://determinedtolearn.net/uploads/1/3/0/5/130590282/17debd87.pdf
    • http://1simpledownload.com/uploads/1/3/0/7/130775186/230132.pdf
    • http://www.avprestigio.com/uploads/1/3/0/2/130291527/783e74782b5778c.pdf
    • http://drlauracano.com/uploads/1/3/0/5/130551230/f93003f9ee82.pdf
    • http://sceneandmore.com/uploads/1/3/0/6/130603809/woxanerorux.pdf
    • http://hostmaster.writingonreels.uk/uploads/1/3/0/5/130590082/f749d9df60b23.pdf
    • http://ns.guanciao.com/uploads/1/3/0/5/130588594/b03ffcfb9a09.pdf
    • http://beeldschermverhuur.eu/uploads/1/3/0/2/130289772/99d8a1862a.pdf
    • http://buttimtrade.com/uploads/1/3/0/5/130539497/ae8016a7.pdf
    • http://louromartinsadvogados.com/uploads/1/3/0/5/130550732/813cf.pdf
    • http://mta-sts.mx.toddurban.com/uploads/1/3/0/2/130289433/eb1e7d6d93f8.pdf
    • http://trinityhilltm.tmd55.org/uploads/1/3/0/8/130874669/56f069.pdf
    • http://hostmaster.future-generations.org/uploads/1/3/0/2/130272847/bomimumup.pdf
    • http://webmail.sascelledesigns.com/uploads/1/3/0/8/130814161/3900434.pdf
    • http://jeffwhitingsolutions.com/uploads/1/3/0/8/130813496/6ae3ff8a3.pdf
    • http://n0.net/uploads/1/3/0/7/130775528/4a61a9c0f.pdf
    • http://nautifoods.com/uploads/1/3/0/6/130639306/8671fccad.pdf
    • http://highspeedstaffingco.tech/uploads/1/3/0/5/130550938/fivuwo.pdf
    • http://urg.brdge.org/uploads/1/3/0/5/130551704/130551704.html#loan+repayment+calculator+excel+south+africa
    • http://jeffwhitingsolutions.com

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f8e.bin
f0a429ee8395d4939163018b7fa64806af93e55f56b5a993137ad92fcba863ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F8E 8592 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.