Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa0db60980d639ff…

MALICIOUS

PDF

32.1 KB Authoring application: Poppler-utils
MD5: 1cb0a942f6744c58a56881aeb3df69b9 SHA-1: 690cc20041b1b0d488221680cf9c2fab9c2a0afb SHA-256: fa0db60980d639ffb29ac7764bb9ab47879c0dcd6ed0186d09968ee632a1e7a5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded URLs pointing to external PDF documents, a technique commonly used for SEO poisoning or phishing. The heuristic 'PDF_SEO_LINK_FARM' and the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly indicate malicious intent. The embedded URLs are likely part of a campaign to redirect users to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://misabeppa.com/uploads/1/3/0/6/130621965/f85a9d54fa9322.pdf
    • http://www.blackpiers.com/uploads/1/3/0/6/130621552/wizopadege.pdf
    • http://bayleighscloset.co/uploads/1/3/0/7/130776649/7374022.pdf
    • http://wehavebabylove.com/uploads/1/3/0/7/130776276/valerudapuposefogi.pdf
    • http://auburnacupuncture.info/uploads/1/3/0/5/130589187/7704383.pdf
    • http://stratekia.net/uploads/1/3/0/4/130476499/nenukoxolepuvogix.pdf
    • http://appliedcleaningtechnologies.com/uploads/1/3/0/7/130776434/e0768.pdf
    • http://peru.cctvradio.com/uploads/1/3/0/5/130545818/magawisizururo.pdf
    • http://bringontheagame.com/uploads/1/3/0/2/130273626/7456318.pdf
    • http://cschorun.com/uploads/1/3/0/5/130588731/4d21c4e1eb42e5.pdf
    • http://casaservicesfinanciers.com/uploads/1/3/0/4/130488754/f92fa2.pdf
    • http://susangcave.com/uploads/1/3/0/7/130740490/lataxotageviwupida.pdf
    • http://hostmaster.westmidlandsconcertband.co.uk/uploads/1/3/0/4/130478602/1044905.pdf
    • http://s56ri.bpmtc.com/uploads/1/3/0/5/130541677/0349d277.pdf
    • http://www.dimmocksretreat.com/uploads/1/3/0/5/130550903/lebiligab-ruviketibupi-dapojoxadufoxuv-razesegom.pdf
    • http://hostmaster.itholidayhomes.com/uploads/1/3/0/3/130313145/2674a9640d0c310.pdf
    • http://www.thekairoscentre.com/uploads/1/3/0/8/130873903/biputa_gixux.pdf
    • http://www.happycakesgreenville.com/uploads/1/3/0/6/130621720/wufilavube_jiwirewe_tevebadodedo_nejilinulugimu.pdf
    • http://dalexanderward.net/uploads/1/3/0/5/130589433/lupokamagegotuge.pdf
    • http://www.losrl.it/uploads/1/3/0/2/130289721/pifakutulegorur.pdf
    • http://theconsideratecritic.com/uploads/1/3/0/3/130323462/kupimo_zatirixagezati.pdf
    • http://www.nnbbss.com/uploads/1/3/0/5/130543537/227d0fa.pdf
    • http://jolindtays.com/uploads/1/3/0/3/130313066/4423573.pdf
    • http://taiyangchengzongdaili.br3h.com/uploads/1/3/0/5/130551210/130551210.html#sample+large+pdf+files+for+testing
    • http://theconsideratecritic.com/uploads/1/3

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001c37.bin
cca7b77b900c9e9e6d03d5a109da243e670212fe01970c46af6aa3255014bc34		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C37 7248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.