Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2f388a87ad7e50a…

MALICIOUS

PDF

41.6 KB Authoring application: SWFTools
MD5: 0d7af1facf2bccffe3e4aeb8bb2a1620 SHA-1: 123f5d7d6e7793593041ecbc4cca801f6047f19b SHA-256: f2f388a87ad7e50acbbf32306f15c4f66bc8dc3d0c2180cf87d8b78ffe4d1508
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, a technique often used for SEO manipulation to drive traffic to malicious sites or to host phishing content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent. The embedded URLs are the primary indicators of compromise, suggesting the document's purpose is to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://augustinelab.org/uploads/1/3/0/5/130539458/7796932.pdf
    • http://my-drink-list.com/uploads/1/3/0/4/130483781/juvoramatowolaw_bigalatilomez_molujaliz_lebumunag.pdf
    • http://propertasty.com/uploads/1/3/0/4/130435600/seperoluga.pdf
    • http://berryflats.net/uploads/1/3/0/6/130604344/wemerigaxow_lolewononowu.pdf
    • http://reneegdesigns.com/uploads/1/3/0/5/130589231/9b990.pdf
    • http://mygabrielagarcia.com/uploads/1/3/0/6/130604640/lagagumibirosu.pdf
    • http://alunlennon.com/uploads/1/3/0/6/130639318/6035010.pdf
    • http://ntkdomains.com/uploads/1/3/0/6/130604243/933a13d1134a.pdf
    • http://jtbeidencharles.com/uploads/1/3/0/6/130639535/500610.pdf
    • http://andaveycrea.com/uploads/1/3/0/3/130313445/6f768e4.pdf
    • http://advokat-moscow24.site/uploads/1/3/0/6/130605399/69741e00851.pdf
    • http://ankezimmermann.ca/uploads/1/3/0/4/130483566/130483566.html#gattu+battu+song

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001297.bin
6f222ced596c5dafa1ca695e3b7a26daa71df2cf69e10889dff2e30ab369bd85		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1297 8428 bytes
font_01_sfnt_off00005186.bin
50224c6c483bfa86a10f62efd7baa2c756f8036c0a911ebd537387e21b2fb6f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5186 2732 bytes
font_02_sfnt_off00005a9d.bin
c74160dc7cddbe93d35a4ee8e60d2dfd2aaa54668830e3fd8d87381bd1ac8609		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A9D 16276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.