Malicious PDF — malware analysis report

Static analysis result for SHA-256 f9a6de52a7f63fd0…

MALICIOUS

PDF

48.6 KB Authoring application: PDFBox
MD5: 221994b26698e25e804c2b341050a93f SHA-1: f9c9f279d36ef8e2a268800792dab9904dd7876e SHA-256: f9a6de52a7f63fd0320d4f490f8a8d18a6935c3dad8fb1a9cbbd6bb4c2bcdacc
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing Link

The PDF was flagged by multiple heuristics, including ClamAV detecting it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a critical heuristic firing for a PDF link farm. The document body contains garbled text, indicating it is not intended for human consumption. The primary malicious activity appears to be the mass embedding of external PDF links, likely to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thesurfyogi.com/uploads/1/3/0/7/130776040/920938.pdf
    • http://blackpreacherinawhitetown.com/uploads/1/3/0/4/130435712/padepiz.pdf
    • http://webdisk.secaucustower2.com/uploads/1/3/0/6/130639679/reximatogabovoti.pdf
    • http://realtimecases.info/uploads/1/3/0/7/130740434/mopit_kunozexu.pdf
    • http://agenciabetextravel.com/uploads/1/3/0/7/130775466/1276411.pdf
    • http://www.elpistolerowines.com/uploads/1/3/0/5/130543093/6cefd35b.pdf
    • http://godfreyhotelphoenix.com/uploads/1/3/0/5/130589338/6f9bcc3d.pdf
    • http://infoblicity.com/uploads/1/3/0/6/130639032/be85c3fc.pdf
    • http://thecottagewimberley.com/uploads/1/3/0/7/130776225/6c155382dd22e9.pdf
    • http://www.rent-a-ringer.com/uploads/1/3/0/6/130605515/2793074.pdf
    • http://carolinelsmith.com/uploads/1/3/0/7/130739159/02a25a71169279.pdf
    • http://on1960.com/uploads/1/3/0/8/130814186/vuridewetumo-lozar-bupad.pdf
    • http://cd1kjn.bdgct.com/uploads/1/3/0/5/130539255/130539255.html#adjective+noun+collocations

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065b5.bin
db0bf7672f41f3aa66b51807a77400f7a292a33ea896bcb75c1aaf10fbaba9e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65B5 8572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.