Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa1c763f623f4eb0…

MALICIOUS

PDF

46.2 KB Authoring application: pstoedit
MD5: d19527709911c354995de61599750db5 SHA-1: aad6b70c8800d4cfe2772e6e02142b07a71b7582 SHA-256: fa1c763f623f4eb0b86d77140e529279c144cf0549b177915f197236b15368d2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted on various domains, indicating a link farm or distribution mechanism. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly suggest malicious intent, likely related to phishing or traffic redirection. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://squareonefurnishings.com/uploads/1/3/0/4/130489803/wadugibikin-dilutadubozogu.pdf
    • http://thetee-shirt-shack.com/uploads/1/3/0/7/130738837/pozewepefu.pdf
    • http://lakegeorgebrewhouse.com/uploads/1/3/0/5/130539185/tawaxewekadipusiw.pdf
    • http://albuquerquemobilenotary.com/uploads/1/3/0/2/130271017/vidateteg-gotupopu-makekixi.pdf
    • http://macdonald-designs.com/uploads/1/3/0/6/130620272/padezojozolarexo.pdf
    • http://rgdesigns.org/uploads/1/3/0/4/130489467/3c4c892e9f.pdf
    • http://mkefacepaint.com/uploads/1/3/0/2/130273884/lalofebupi.pdf
    • http://partywife.net/uploads/1/3/0/8/130873978/8a5b50b0.pdf
    • http://magicsigma.com/uploads/1/3/0/2/130291545/foteraver.pdf
    • http://brotherssoap.com/uploads/1/3/0/9/130969993/dejepegela-pukatoxal-juwes-mobovavewuda.pdf
    • http://autumnweavesdecor.com/uploads/1/3/0/6/130621304/a933da.pdf
    • http://jessethorn.com/uploads/1/3/0/2/130287296/6425714.pdf
    • http://awaidallc.com/uploads/1/3/0/3/130323409/tiwazopibakewesud.pdf
    • http://sonhab.com/uploads/1/3/0/6/130620669/kaxezamoragew_vugelogarul_tefozodi_gagaxigozuram.pdf
    • http://cairobritishcollege.com/uploads/1/3/0/4/130478882/5dc37361f.pdf
    • http://pillarsofart.com/uploads/1/3/0/7/130776239/68f177e328bd6.pdf
    • http://streetwalkers.club/uploads/1/3/0/4/130483469/fe76e7ae.pdf
    • http://ardmoreccc.org/uploads/1/3/0/5/130544954/bunazajexisesuk.pdf
    • http://nicoleedwardslimited.com/uploads/1/3/0/2/130291800/6967954.pdf
    • http://marpalaceportuguese.devsite-1.com/uploads/1/3/0/3/130313379/130313379.html#pre-intermediate+reading+comprehension+worksheets+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034a0.bin
1b0b9ccafa3a8d4187e86757028d03de598065db96186c0e11ce259314def278		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34A0 2684 bytes
font_01_sfnt_off00003d8e.bin
c6c28444bcd94379862b6cc7f8cfcdbcdaeb026857ccdb099d87626a561054a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D8E 16092 bytes
font_02_sfnt_off0000551c.bin
4c09ac0cce00e6efc562ea9caa82ec2e04c7eb10bf7df294973db516f5919850		 pdf-font-stream PDF embedded font (sfnt) at offset 0x551C 8084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.