Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc2d1653d93825b0…

MALICIOUS

PDF

39.0 KB Authoring application: PDFBox
MD5: dae3695d23f7aa47d33fb301591bb6a2 SHA-1: 753cf7acd35f1795d2d96144ce521ae8fbedb1fc SHA-256: fc2d1653d93825b09df577740821ee34b40e8266a619e8bac416582f687cccd1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent. The document body itself contains garbled text and some URLs, reinforcing the link farm nature of the sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://filudari.pavlogradgallery.ru/uploads/2020/01/27/rijuwa_pujumopaxagin_ximojes.pdf
    • http://djasbusinessinnovation.nl/uploads/1/3/0/2/130274330/b7eeb.pdf
    • http://nim.sonxequyentri.com/uploads/2020/01/28/4674471.pdf
    • http://stmarysautorepairandsales.com/uploads/1/3/0/4/130476649/95d6dd4549f.pdf
    • http://vojapujo.russimavia.ru/uploads/2020/01/27/kubibitomunar.pdf
    • http://golefoga.bbjgamestore.com/uploads/2020/01/28/8bd5c3f0.pdf
    • https://kebasatitasem.weebly.com/uploads/1/3/0/5/130551125/wojogufinav.pdf
    • http://ophsclassof1999.com/uploads/1/3/0/6/130604324/jitukete_gusoratuvire_wofiwawapos.pdf
    • http://northelkinchurch.org/uploads/1/3/0/3/130323535/fepufemagaperun_tisilazikitivo.pdf
    • http://photosyouask.com/uploads/1/3/0/6/130604321/b14092f373.pdf
    • http://coltonshouse.com/uploads/1/3/0/2/130270887/pikagejirona-togaxotuvix-xutunakeputo-vawigakasufi.pdf
    • http://pwhs.prowrestlinghistoricalsociety.com/uploads/1/3/0/6/130639395/f0c4452c6b8b.pdf
    • http://nunuwu.eltarrodeheno.com/uploads/2020/01/27/pulekerozowe_tumavagevogo_jowexefutoxa_gasasisiteji.pdf
    • http://streamkingztv.info/uploads/1/3/0/5/130538902/3679d97.pdf
    • http://2ourhealth.net/uploads/1/3/0/6/130604200/1421460.pdf
    • http://yoyotk.com/uploads/1/3/0/6/130639426/6aaedb3.pdf
    • http://musicatkhs.com/uploads/1/3/0/5/130551399/9821132.pdf
    • https://gotexizofatozub.weebly.com/uploads/1/3/0/5/130550778/kikowikevo_fonazaruluno_papowusuro.pdf
    • http://naileddailycom.com/uploads/1/3/0/4/130483978/130483978.html#berharap+tak+berpisah+cover+aaliyah+massaid

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000169e.bin
2d6b1af80297fe06c35965ec9b026606bf2427a889e0f9337f27a26897a15d54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x169E 8988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.