Malicious PDF — malware analysis report

Static analysis result for SHA-256 eed5b1e1393c0e43…

MALICIOUS

PDF

27.2 KB Authoring application: Adobe PDF Library 9.0
MD5: 9c8d966f1076f2714d9f1c8c07ec1a9c SHA-1: ffe9c49ff65b7aa7b8d1d6be845d4302d11ae1ba SHA-256: eed5b1e1393c0e43458babdf41bad7cbad24b1c534b54f6c34ad1bc85cdaf9f2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links to other PDF files, a technique often used for SEO poisoning or to host malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The embedded URLs are the primary indicators of compromise, likely serving as lures or download locations.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://growtem.com/uploads/1/3/0/7/130775201/5183367.pdf
    • http://produtosodontologicos.net/uploads/1/3/0/8/130813037/a384b.pdf
    • http://www.canyonlaketax.com/uploads/1/3/0/4/130483122/01edd91cf5aacd2.pdf
    • http://swappinghub.com/uploads/1/3/0/6/130639734/1449726.pdf
    • http://faradayfuture.implementation.collectivehealth.com/uploads/1/3/0/8/130874119/gopirigananux_vogope_gasubifuxivodi_wupiworigimama.pdf
    • http://showtimesolutions.website/uploads/1/3/0/6/130620363/lawesukib.pdf
    • http://knowsbest.net/uploads/1/3/0/6/130639691/xobufikejelole.pdf
    • http://alexandrethiery.com/uploads/1/3/0/7/130775429/76968fe896fcbb.pdf
    • http://1694woodglen.com/uploads/1/3/0/6/130639257/866159.pdf
    • http://amysinspirations.com/uploads/1/3/0/6/130604877/moxegabiroz.pdf
    • http://cageymoon.com/uploads/1/3/0/6/130604101/c967f219.pdf
    • http://playground.fail/uploads/1/3/0/7/130776693/xololaxasesif.pdf
    • http://destinedtodelighttravel.voyagerwebsites.com/uploads/1/3/0/7/130739344/130739344.html#kannada+shabarimale+swamy+ayyappa+bhakthi+geethegalu+video+song

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001479.bin
3132c0036fb2e56c613f26d6f89f6447616f833c70ba28ee9317c1d2e8b4237e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1479 6812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.