Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb1388d99e17021a…

MALICIOUS

PDF

37.4 KB Authoring application: Poppler-utils
MD5: e0b44826c9ad2618853a13659abf855c SHA-1: d2d24a5ff76e5d8aeb9023baf249671503924e01 SHA-256: fb1388d99e17021ac37dc7348a436d4f1ce54ca7c88cbfcecef0a97cf6d58db1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection for Pdf.Phishing.TtraffRobotInstall-7605656-0. The document contains a large number of embedded URLs pointing to other PDF files, suggesting a link farm or distribution mechanism. The ML classifier also strongly indicated maliciousness. No scripts were extracted, and the document body was heavily obfuscated, but the primary attack pattern involves directing users to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://forsheylaw.org/uploads/1/3/0/3/130313624/sojufimulorivof_tuwid_turipopawe_sibak.pdf
    • http://mymoneybuilder.net/uploads/1/3/0/5/130543979/4db60fd3f.pdf
    • http://girlycrew.com/uploads/1/3/0/2/130272501/78acecebf2.pdf
    • http://jungermanfoundation.org/uploads/1/3/0/5/130590756/lisav.pdf
    • http://pingboguojiguanwang.br3h.com/uploads/1/3/0/7/130739603/reporo-bijeparologiw.pdf
    • http://diceplosion.com/uploads/1/3/0/6/130604791/zokanumotigumijitupe.pdf
    • http://www.freshtracksphysio.com/uploads/1/3/0/7/130775659/menewot.pdf
    • http://northjerseydirectmail.com/uploads/1/3/0/3/130323423/79ea0adc26c4.pdf
    • http://mezalejandro.com/uploads/1/3/0/5/130539354/5ee624c378c.pdf
    • http://mail.byrobinraymond.com/uploads/1/3/0/9/130969618/360f340848.pdf
    • http://cloud9weddingflowers.com/uploads/1/3/0/6/130605380/3549561.pdf
    • http://www.dragonflyproductions.biz/uploads/1/3/0/6/130604720/f6367f540d58d.pdf
    • http://10thkind.com/uploads/1/3/0/7/130775505/a90d2b01c59255.pdf
    • http://skunkremovalknoxville.com/uploads/1/3/0/5/130540246/583dcd.pdf
    • http://www.highsierra.com.co/uploads/1/3/0/8/130874066/sugusiwotitap_kusafu_bexuzukasi.pdf
    • http://www.barcraisetheruff.com/uploads/1/3/0/5/130542894/749a79.pdf
    • http://kudos24.pleasingfood.com/uploads/1/3/0/6/130604044/130604044.html#how+to+add+text+form+in+wordpress

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002b1d.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2B1D 2652 bytes
font_01_sfnt_off000036e1.bin
3c9c90ab9dcfd6e04fb02422008ba646975e392ff6a09d48a0d861ec7633c9d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36E1 7584 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.