Malicious PDF — malware analysis report

Static analysis result for SHA-256 f3fd21041d7dfcbf…

MALICIOUS

PDF

56.8 KB Authoring application: Adobe PDF Library 9.0
MD5: 96d69ebb41b75af561019fbad8b2fb50 SHA-1: 6ad6bb8b805efc9dffaaa843ab71aa03870da2f4 SHA-256: f3fd21041d7dfcbf74dc2240cc35a205cb000b9809ec3db9455503b45a5a2c40
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple heuristics, including a critical finding for a link farm containing external PDF links. The ML classifier also strongly indicated maliciousness. The embedded URLs point to a network of similarly structured PDF files hosted on various domains, suggesting a coordinated effort to redirect users. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection motive.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://behuninvocalstudio.com/uploads/1/3/0/6/130639764/pusex.pdf
    • http://drrobertlang.com/uploads/1/3/0/5/130590043/tozut.pdf
    • http://mydivinewomb.com/uploads/1/3/0/3/130323216/wijaladuwax.pdf
    • http://animeconcarne.com/uploads/1/3/0/7/130775119/delum.pdf
    • http://openbarfreefood.com/uploads/1/3/0/4/130483205/5595a157.pdf
    • http://djsacademy.com/uploads/1/3/0/3/130323762/130323762.html#triangle+inequality+absolute+value+function

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001137.bin
41ff5b184f598ed44d39592c7f88e3dfd29a865b33a4806d3edfd405ec1c4ad0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1137 9168 bytes
font_01_sfnt_off00008c53.bin
ad076573b5e236e28ca41211b46e94ad3ef79ae54e0dc91f4de75d407f37c977		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C53 3312 bytes
font_02_sfnt_off00009776.bin
18079aa1143e873fada7aa8d358fa5d401d42f5c4b1e6cf56f60acaa1a76d6ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9776 16364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.