Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1e0fb2e09d279c3…

MALICIOUS

PDF

48.6 KB Authoring application: ImageMagick
MD5: ca23a94ffd0a739a8666181de789d34a SHA-1: e204e9e0bb9175fa8517b2036b21879585ce420a SHA-256: f1e0fb2e09d279c3ba575c3a49eebf625db0170cf72734a07668fb94b7fbb089
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

This PDF file was flagged by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0 and a machine learning classifier with high confidence. The primary heuristic identified a large number of embedded external PDF links, suggesting a link farm or redirection mechanism. The document body contains garbled text and embedded URLs, reinforcing the malicious intent. The embedded URLs are likely used to redirect users to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kaluvow.gamefreeplus.ru/uploads/2020/01/27/4222414.pdf
    • http://community-presale.online/uploads/2020/01/28/5369609.pdf
    • http://spiritmarkpress.com/uploads/1/3/0/2/130289179/dutusapegatazuze.pdf
    • http://artinicontest.com/uploads/1/3/0/2/130289453/raxezutifulosirag.pdf
    • http://muskegonapostolic.net/uploads/1/3/0/6/130605302/bolojawabe.pdf
    • http://migef.sally-girl.pw/uploads/2020/01/27/3210667.pdf
    • http://rencommunicatons.com/uploads/1/3/0/6/130620854/291739fa6adc.pdf
    • http://carzonerepairandbody.com/uploads/1/3/0/5/130590561/pitexeruxu.pdf
    • http://risesportscast.com/uploads/1/3/0/5/130588169/birurunokanezes.pdf
    • http://sezoxo.avangardenspace.com/uploads/2020/01/28/1b01985b260427.pdf
    • https://fujagefamedufuv.weebly.com/uploads/1/3/0/3/130379352/ramalalirut-pusodefafutimoj-tibisiv-lelisaxogog.pdf
    • http://loudmountains.com/uploads/1/3/0/6/130620416/gizanuzuveragoj.pdf
    • https://ruvuriwi.weebly.com/uploads/1/3/0/5/130551095/pifigojamolem.pdf
    • http://allamericandogexpo.com/uploads/1/3/0/6/130639444/130639444.html#active+learning+template+nursing+skill+medication+administration

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f79.bin
54e30ca4cb79a5d7955c2b4f5cb590e0d3e5a4c759e82cccc728591bd2d48bd3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF79 7944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.