Malicious PDF — malware analysis report

Static analysis result for SHA-256 e69cebe1af57e2e2…

MALICIOUS

PDF

46.5 KB Authoring application: pstoedit
MD5: b11c83a2c1227c9b028cb73dda570536 SHA-1: 6db59e3b37d1c908ef92df4f6663c0cc480ba098 SHA-256: e69cebe1af57e2e2d9e742801d4741e6238d0e29094b7b3ce2648e997afa7040
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0 and a machine learning classifier. Static analysis revealed a large number of embedded external PDF links, indicating a link farm. This suggests the PDF is likely used to redirect users to malicious content or for SEO poisoning. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hostmaster.genovaink.it/uploads/1/3/1/0/131070590/nuvatafejew.pdf
    • http://farmersmarketpettreats.com/uploads/1/3/0/4/130488286/6a6f32dfb.pdf
    • http://www.rotster.net/uploads/1/3/0/7/130775407/e47e25e67a5.pdf
    • http://artsholidayitaly.com/uploads/1/3/0/2/130270863/8312268.pdf
    • http://www.sffaz.com/uploads/1/3/0/6/130620551/rigopejini.pdf
    • http://jukeboxarcade.com/uploads/1/3/0/8/130874109/2718344.pdf
    • http://www.diegoocchi.com/uploads/1/3/0/5/130590308/nevonij-valev-rarimowepafuk-vigigofebixegeg.pdf
    • http://film-studio.london/uploads/1/3/0/6/130605306/sukorom-femad.pdf
    • http://colddiamnd.com/uploads/1/3/0/4/130483413/latukaveforiko_molisiponije_pameroxevek_motevujorur.pdf
    • http://femibot.com/uploads/1/3/0/8/130813554/reladelufononot.pdf
    • http://intraterrestrial.net/uploads/1/3/0/4/130436139/6764146.pdf
    • http://claireleisringbuerkcounseling.com/uploads/1/3/0/5/130550847/2941cc9c4f8.pdf
    • http://recapturedlife.com/uploads/1/3/0/2/130270849/tival-tejunazob.pdf
    • http://mightygoodentertainment.com/uploads/1/3/0/7/130739836/448003.pdf
    • http://stormsteelllc.com/uploads/1/3/0/5/130539295/xojanar.pdf
    • http://www.oombaga.net/uploads/1/3/0/5/130550794/derati_kemajuwenu.pdf
    • http://keepitpositive.website/uploads/1/3/0/6/130620981/lotazan.pdf
    • http://casparscatering.com.au/uploads/1/3/0/2/130288439/nolurolum_tedepisebuwif.pdf
    • http://iranconsaru.com/uploads/1/3/0/8/130814644/2478210.pdf
    • http://foursake.com/uploads/1/3/0/7/130739472/1392075.pdf
    • http://navice.org/uploads/1/3/0/3/130379192/130379192.html#vulnerability+assessment+penetration+testing+interview+questions

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005538.bin
98ccc359c186ebaed3378826cc7da0c0a7b43e21996fdee547a378c5ca692027		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5538 8460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.