Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb6a73d2677b2c3c…

MALICIOUS

PDF

39.3 KB Authoring application: Adobe PDF Library 9.0
MD5: ce002eae76009dd5f6c6a1fd2296a13f SHA-1: 42e336ad8f6d5db92f35d28291ffdc8cf34b4f0c SHA-256: eb6a73d2677b2c3cbb3f2fd0d0e9d240753889e282b5f69c66b5f521db99cd6f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV identified this as Pdf.Phishing.TtraffRobotInstall, indicating a phishing or traffic redirection scheme. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://my-drink-list.com/uploads/1/3/0/7/130776847/xakap-leworufadob-gumebivusi-zigebudijulono.pdf
    • http://www.fitfabrunclub.com/uploads/1/3/0/5/130545249/zomid_tabaw_dobovulojaja_kametariwuzufu.pdf
    • http://spectrumlifecare.net/uploads/1/3/0/2/130288722/rotano_fegemof.pdf
    • http://techieindigo.com/uploads/1/3/0/7/130739994/pemebumalutu-guxusewemigiled.pdf
    • http://selby-hypnotherpy.co.uk/uploads/1/3/0/4/130488839/gigavisituru.pdf
    • http://millerignitesllc.com/uploads/1/3/0/7/130740616/6555505.pdf
    • http://conjecturellc.com/uploads/1/3/0/7/130776821/80c54134ccd96.pdf
    • http://ejburke.org/uploads/1/3/0/2/130288761/gitijefilovude.pdf
    • http://mail.rebeccaboswell.com/uploads/1/3/0/6/130604858/zogubotozoke.pdf
    • http://bsa-sccc-pack301.com/uploads/1/3/0/6/130604420/9958917.pdf
    • http://holadronpepito.com/uploads/1/3/0/4/130488486/5051cd47e5.pdf
    • http://libraconsultoria.com.br/uploads/1/3/0/7/130776791/7499842.pdf
    • http://regogear.org/uploads/1/3/0/2/130287463/tugaxisebez.pdf
    • http://danielflax.com/uploads/1/3/0/6/130605302/vutufesipur.pdf
    • http://stgeorgestucco.com/uploads/1/3/0/6/130620783/rapokarofobopuwobi.pdf
    • http://shanghaishopper.com/uploads/1/3/0/3/130323409/1369494.pdf
    • http://xroadschurchcounseling.com/uploads/1/3/0/5/130588936/8193643.pdf
    • http://ccpropertyinvestment.com/uploads/1/3/0/3/130313170/225c67cfa0.pdf
    • http://mishkinphoto.com/uploads/1/3/0/2/130289628/gaxevez.pdf
    • http://kunznator.com/uploads/1/3/0/5/130545565/5745915.pdf
    • http://swearingenfamily.com/uploads/1/3/0/6/130639026/jixiwixebole.pdf
    • http://evokefitness.net/uploads/1/3/0/2/130272327/130272327.html#job+description+of+accounting+assistant+philippines
    • http://holadronpepito.com/uploads/1/3/0/4/130488486/5051cd47e

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000039d7.bin
25e350953c653cee63acd6c618f8d44db47e4b154c3696b7b5d979326e81500e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39D7 7640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.