Malicious PDF — malware analysis report

Static analysis result for SHA-256 f39128eb45c77cfb…

MALICIOUS

PDF

63.1 KB Authoring application: pdf-parser
MD5: a4e9e75fe241aade4775f0606af2bda4 SHA-1: 6e56b26b853e48cb7bc615b0e2aecc32d0252af4 SHA-256: f39128eb45c77cfb276929f80b4cd149c8c39e8efb842e51e6a409ab8c97629d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. These URLs point to various domains and appear to be part of a link farm, suggesting a phishing or SEO poisoning campaign. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports the malicious nature of this document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://abby-yoga-massage.com/uploads/1/3/0/5/130545557/4fd1790c0e.pdf
    • http://rockpaperskies.com/uploads/1/3/0/6/130604273/kitewewuxop.pdf
    • http://roguecosmetique.shop/uploads/1/3/0/4/130483275/6db71.pdf
    • http://joeknowshomeinspectionsltd.com/uploads/1/3/0/5/130588515/rudizezuzigi_duzojirewi_noxopepigewedok_pedugud.pdf
    • http://hollywoodgyros.com/uploads/1/3/0/6/130621589/wadunepuwesu.pdf
    • http://pholi.net/uploads/1/3/0/4/130476697/vimifizeriluges_xoromatubifuji_mumopoj_nesapafar.pdf
    • http://ocalsports.com/uploads/1/3/0/3/130323705/sugosofuvipon-kudebaxu-tovose-jodijux.pdf
    • http://tkobg.com/uploads/1/3/0/3/130379331/567326.pdf
    • http://mobilegroomersarasota.com/uploads/1/3/0/4/130478106/751188.pdf
    • http://abidinghopeinstitute.org/uploads/1/3/0/5/130550681/3529055.pdf
    • http://jobcentreguide.net/uploads/1/3/0/4/130435937/0f0cfcae3b407de.pdf
    • http://olympicvillagerentalsvancouver.com/uploads/1/3/0/4/130477176/kadum.pdf
    • http://orbum.org/uploads/1/3/0/3/130323506/jadiwame.pdf
    • http://monaventurephoto.com/uploads/1/3/0/5/130539763/2864697.pdf
    • http://appwirestudios.com/uploads/1/3/0/4/130436250/vunijekizas.pdf
    • http://innovativesportfans.net/uploads/1/3/0/7/130738706/nozeguzodax_zunine_wewagikenawal_sumudela.pdf
    • http://crisp.guru/uploads/1/3/0/7/130740568/wilafonarup-dogox-lelasek.pdf
    • http://no-such-thing.org/uploads/1/3/0/7/130776457/a163f55cf56ac2.pdf
    • http://kelviron.net/uploads/1/3/0/6/130640047/mijuv-xenalolagar-xosukozigalo.pdf
    • http://motodroid.net/uploads/1/3/0/6/130639569/bosajopirixofilarim.pdf
    • http://pakfitness.ca/uploads/1/3/0/7/130775013/7941101.pdf
    • http://host10.pleasingfood.com/uploads/1/3/0/5/130539940/130539940.html#metabolic+acidosis+in+pediatric

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000163d.bin
b80b20e16899f542a337f3fe1a7799a6f47a1352c56011872bdc082c8979e174		 pdf-font-stream PDF embedded font (sfnt) at offset 0x163D 8624 bytes
font_01_sfnt_off0000b925.bin
2b2f61e3f804cc48ffd7226d6d4c4f1048dc6d3d87e5e0b0cf2f6383974503b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB925 3240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.