Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8216a3d82be0ec9…

MALICIOUS

PDF

36.3 KB Authoring application: Mobipocket Creator
MD5: a166bcf83693f6bea76aaa6dae3c9919 SHA-1: e933ac37ecb635b23d69fb3b650d2a692057a8e9 SHA-256: f8216a3d82be0ec91795343e5aa991727206faa4c252032aade1d8d4d751f8af
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF was flagged by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0 and a machine learning classifier. The primary heuristic indicates a link farm with 14 external PDF links, predominantly hosted on mypuriumsambi.com. The document body also contains numerous URLs pointing to PDF files on various domains, suggesting a traffic redirection or phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mypuriumsambi.com/uploads/1/3/0/6/130620854/maponukajowi-rusexur.pdf
    • http://windswept.co.za/uploads/1/3/0/6/130620395/mekanobobi.pdf
    • http://finnsabia.com/uploads/1/3/0/6/130639635/suxore_zuledakokaf_wujogikolif.pdf
    • http://clinicaespacosaudebeleza.net/uploads/1/3/0/5/130539726/kepawofu_zokuzipajuxob_rofedewizo.pdf
    • http://dippedarmor.com/uploads/1/3/0/5/130544384/5769831.pdf
    • http://just-plane.com/uploads/1/3/0/7/130775682/widebigajot-gelamaxiv.pdf
    • http://vergisdigitalmarketing.com/uploads/1/3/0/4/130483167/dogetexijipasi.pdf
    • http://nationalriskmanagementgroup.com/uploads/1/3/0/4/130435500/130435500.html#faces+vertices+and+edges+of+3d+shapes

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001324.bin
2e55cc225f7276691f519aea507c586d07cb7529a0a2cfa2566cdc5481bfd1e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1324 7528 bytes
font_01_sfnt_off00004adb.bin
6f15b145d41f79409be138c4cb8f71460287000a62cfb3d55bb0ed49113674dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4ADB 6684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.