Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed931ebaaa8950b9…

MALICIOUS

PDF

62.1 KB Authoring application: Mobipocket Creator
MD5: 16388291163a09444be06a1027b9c953 SHA-1: 31fa3827228126a73219202bdc59a3267b5a8237 SHA-256: ed931ebaaa8950b9431f431f32b00b00e9e2e6ecda7dfcb5cde01f4de3874bda
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical finding for a PDF link farm and ClamAV detection as Pdf.Phishing.TtraffRobotInstall. The presence of numerous external links, many with numeric slugs, strongly suggests a phishing or SEO manipulation tactic. The ML classifier also returned a high confidence score for maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eliasmmm.com/uploads/1/3/0/6/130621233/1305835.pdf
    • http://commongroundsphilly.com/uploads/1/3/0/7/130738945/zubolavudafe.pdf
    • http://fraeylemaensemble.nl/uploads/1/3/0/5/130539437/wavopig-muvakidase-subuxiz.pdf
    • http://konnektuk.com/uploads/1/3/0/7/130775166/lugiz_milatokum.pdf
    • http://7daysdietplan.net/uploads/1/3/0/4/130489564/bimizu-bizafiba-bufokesir-vuxuxagefudiza.pdf
    • http://nextlane360.com/uploads/1/3/0/5/130551625/watur.pdf
    • http://sneezydates.com/uploads/1/3/0/7/130739404/kipazire-pelim-nowejifelizo.pdf
    • http://essentiallybetterhealth.com/uploads/1/3/0/4/130489909/7382691.pdf
    • http://konzacoffeecompany.com/uploads/1/3/0/6/130622013/ad31563f0973be3.pdf
    • http://nharmonycastingandtalent.com/uploads/1/3/0/5/130538891/vovolejitukudija.pdf
    • http://dominadomino.co.uk/uploads/1/3/0/4/130489001/fowifileripuzux_kerepuzisevel.pdf
    • http://hypersomniac.net/uploads/1/3/0/5/130540823/45725.pdf
    • http://rachaellust.com/uploads/1/3/0/3/130313426/75c650ba62feb.pdf
    • http://tommymangos.com/uploads/1/3/0/8/130814169/2402bb2e1453a7.pdf
    • http://ontariocaairporthotel.com/uploads/1/3/0/5/130590030/f1d4712bab72.pdf
    • http://adsl-63-204-18-42.benefitplans.org/uploads/1/3/0/5/130539370/130539370.html#opencv+text+detection+%28east+text+detector%29+github

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001486.bin
1202e8e1d7494bdab15504950e3ead5310affadbbf3095de3dec5598ab2592b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1486 9508 bytes
font_01_sfnt_off0000b723.bin
aa0570798aceaed3a14784aa7b7692c36ef93fa9c4c7caae50cf44d5f61f7b9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB723 2712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.