Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2543e984593364d…

MALICIOUS

PDF

39.2 KB Authoring application: Solid Converter PDF
MD5: dd8d1e4fb686440040442f1790130556 SHA-1: 195016e35890c3ce2b8c94a7d9ae5b25e7887fd7 SHA-256: f2543e984593364dc78a7621aba78f402a652e53619e1a65c58a28737f7124be
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute malware. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The document body is heavily obfuscated and unreadable, providing no direct clues about the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://socialjusticewitch.com/uploads/1/3/0/6/130622110/mawekuro.pdf
    • http://xileart.com/uploads/1/3/0/6/130605240/ximid.pdf
    • http://www.texasboxguitars.com/uploads/1/3/0/5/130588513/d75c1e.pdf
    • http://ccfammo.com/uploads/1/3/0/5/130551219/japol.pdf
    • http://www.app.myremio.com/uploads/1/3/0/4/130436272/sidogak-dosirola-nagijolidubiv-xugujejirozi.pdf
    • http://glennmartin.info/uploads/1/3/0/6/130639382/8907639.pdf
    • http://www.lahistoriademariaysofia.com/uploads/1/3/0/6/130621337/juvarunisivadik_ganotesofatoned_xazipukajara_giresilitas.pdf
    • http://lucasroy.net/uploads/1/3/0/7/130775472/2743513.pdf
    • http://johnvthephotographer.net/uploads/1/3/0/2/130274315/setizalodi.pdf
    • http://alchemyoftime.com/uploads/1/3/0/5/130539888/wegus.pdf
    • http://admin.rhkconsulting.com/uploads/1/3/0/6/130604243/luxesosezulatup-keluxeji-regutibowuxu.pdf
    • http://idetails.org/uploads/1/3/0/5/130551279/gowuvu-rudifadidiwar-fazix-selar.pdf
    • http://www.hawleylogistics.co.uk/uploads/1/3/0/5/130540290/22b7d03f29d4.pdf
    • http://sacredstarastrology.com/uploads/1/3/0/4/130435553/wudojemelufa.pdf
    • http://urptek.com/uploads/1/3/0/7/130775384/junaparepinefuvow.pdf
    • http://ohiofalconry.com/uploads/1/3/0/3/130313031/liwegemivukuno-zajubufuga-lalesotusonup.pdf
    • http://cardiffhomedesign.com/uploads/1/3/0/3/130323624/ba65ca589eac17.pdf
    • http://chicagokilnrepair.com/uploads/1/3/0/7/130775102/667065.pdf
    • http://agavepress.com/uploads/1/3/0/6/130639849/32d8310.pdf
    • http://amyrasplicka.com/uploads/1/3/0/7/130739864/2065113.pdf
    • http://encore00024.voyagerwebsites.com/uploads/1/3/0/5/130550789/130550789.html#central+diabetes+insipidus+adalah
    • http://www.texasboxguitars.com/uploads/1/3/0/5/130588513/d

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003a50.bin
8cb8aa4e75b02a473b3f3c5958ec08840b40dbf0c824405c6efe8f47a7637d2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A50 7652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.