Malicious PDF — malware analysis report

Static analysis result for SHA-256 f4694a73b3b51b00…

MALICIOUS

PDF

33.1 KB Authoring application: PDFBox
MD5: b4d582d96f17a832d6bd4bd2936d41b4 SHA-1: f9fd3fd61d9d138239e07715c1ba7014c5c10856 SHA-256: f4694a73b3b51b00136f70330ee5c3fdd283508a6567974bb7eee07634cf2f85
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, which strongly suggests a phishing or redirection campaign. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports this assessment. The document body itself is heavily obfuscated but contains many of the same URLs found in the heuristics, indicating they are the primary payload mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://milothaimassage.com/uploads/1/3/0/4/130477882/kapewofopitarib.pdf
    • http://frankteran.com/uploads/1/3/0/2/130287839/wopaj.pdf
    • http://affectivedevelopment.com/uploads/1/3/0/5/130588291/minalutijivi-rovejozoso-lurodawilid.pdf
    • http://www.sinotrading.dadgifts.us/uploads/1/3/0/6/130604022/lopapufirox-fugeranajadug.pdf
    • http://clogdancing.me/uploads/1/3/0/2/130289179/db0f468847162f.pdf
    • http://lancasterfoodhub.com/uploads/1/3/0/6/130605403/bipez.pdf
    • http://hopecenterhampton.com/uploads/1/3/0/4/130436017/f3014b1f409.pdf
    • http://simplyfitfoods.com/uploads/1/3/0/7/130739478/d38cce7e1.pdf
    • http://johnhdoe.org/uploads/1/3/0/5/130543536/xajipikuf-kugebi-mulilorowodenin-forelapuv.pdf
    • http://escueladelacomunidad.com/uploads/1/3/0/5/130590257/6902471.pdf
    • http://tjrothconstruction.com/uploads/1/3/0/4/130476943/0655e4e5b3.pdf
    • http://smithscateringholbrook.com/uploads/1/3/0/6/130621383/mawoxebaf.pdf
    • http://cinestryfilms.com/uploads/1/3/0/2/130288458/6df7ddd.pdf
    • http://veladinatura.com/uploads/1/3/0/5/130588394/vejulelagefali_jatelafuxelugu_wujirasiteredom_xapopad.pdf
    • http://mta-sts.mail.minnesotaflyfishing.com/uploads/1/3/0/2/130287988/869ae0ef312ffd.pdf
    • http://bluffcreekfarmsbedandbreakfast.com/uploads/1/3/0/4/130479171/aee9d.pdf
    • http://msvetnaportfolio.com/uploads/1/3/0/7/130738596/5368922.pdf
    • http://panduct.com/uploads/1/3/0/7/130739956/d40d5b7413a8.pdf
    • http://ghobriallab.danafarberdev.org/uploads/1/3/0/2/130288887/81490bc1092b7.pdf
    • http://mikaelchalyce.com/uploads/1/3/0/5/130541346/6316528.pdf
    • http://noahsanchorarmy.com/uploads/1/3/0/6/130621874/a23e563.pdf
    • http://the-crafty-sagittarius.com/uploads/1/3/0/2/130287495/21371.pdf
    • http://vpwayes.com/uploads/1/3/0/5/130543941/demal.pdf
    • http://nickkumamoto.com/uploads/1/3/0/7/130776850/duxojulivowur.pdf
    • http://bianxingjingangzhenren.br3h.com/uploads/1/3/0/7/130776423/130776423.html#1200+calorie+keto+diet+plan+for+a+month

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001e3f.bin
d65d8897f66eb1a04921577394bc512d8a3ac6a83c0a9a5f106fa26435c08af0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E3F 7452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.