Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea218e739383d58f…

MALICIOUS

PDF

61.4 KB Authoring application: Adobe PDF Library 9.0
MD5: adae4285a99d308dd3279b1c24e19e93 SHA-1: 57968d27d878271b2c5a25e44a19c92af809f98f SHA-256: ea218e739383d58f0afac7ee665365d5375e040afd2df859c083d8d3ce62593a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. The critical PDF_SEO_LINK_FARM heuristic indicates the presence of a large number of external PDF links, with www.rougebymaggi.com being the dominant host. The document body, though heavily obfuscated, contains references to intellectual property and Adobe PDF Library, suggesting a lure document. The primary attack pattern involves redirecting users to a vast network of linked PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.rougebymaggi.com/uploads/1/3/0/2/130289756/2754652.pdf
    • http://pugetsoundbirthingfromwithin.com/uploads/1/3/0/6/130639539/konojusif.pdf
    • http://www.saw-rub.com/uploads/1/3/0/4/130436089/3496527.pdf
    • http://towtruckinsuranceus.com/uploads/1/3/0/6/130605069/sadujafuwopik.pdf
    • http://balabiottpisa.com/uploads/1/3/0/2/130289577/kumisebelejiz-tugotaxizenof-dilidurako-gilogeb.pdf
    • http://walkermoore.org/uploads/1/3/0/2/130274097/babug.pdf
    • http://virtotour.com/uploads/1/3/0/6/130604604/b402134a31587.pdf
    • http://deannalindstrom.com/uploads/1/3/0/2/130273790/5753467.pdf
    • http://powysdyslexiasupport.co.uk/uploads/1/3/0/9/130968958/9ff25e2.pdf
    • http://doveyjunction.org/uploads/1/3/0/4/130488565/b5c61.pdf
    • http://hostmaster.tributoitaliano.it/uploads/1/3/0/8/130813372/8220393.pdf
    • http://fikye.com/uploads/1/3/0/8/130813400/03e06393866fcdf.pdf
    • http://www.lauraofoster.com/uploads/1/3/0/4/130489351/tonekuxapatuk.pdf
    • http://www.luanakrausestudio.com/uploads/1/3/1/0/131070458/74c606.pdf
    • http://mcpheron.net/uploads/1/3/0/5/130588443/de15e779.pdf
    • http://peopleforward.org/uploads/1/3/0/7/130739029/a7ed0de8d.pdf
    • http://istemeducation.net/uploads/1/3/0/3/130379814/fexig.pdf
    • http://muteprophetshop.com/uploads/1/3/0/5/130590564/e38fbaf7f606.pdf
    • http://74-123-75-202.mgwnet.com/uploads/1/3/0/2/130287311/35c63f5e2.pdf
    • http://littlemillcreek.net/uploads/1/3/0/2/130270743/3729331.pdf
    • http://eastpacificmarine.com/uploads/1/3/0/5/130539270/mitawes_dizomibaketuvi_somuvo_raxitejod.pdf
    • http://franchisepro.com.au/uploads/1/3/0/5/130543320/105d254.pdf
    • http://chrisbosgraaf.com/uploads/1/3/0/4/130489523/130489523.html#trips+agreement+intellectual+property+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001336.bin
393cd24a64432e00bc5c3c1ba678467e6729223ad7e0369e7e0e67107c83d0b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1336 9256 bytes
font_01_sfnt_off0000a0d3.bin
b3affdfdfee497c2d3230853582529cf395d265bfdbb8cde7d84ae9c33602211		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0D3 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.