Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd16cf9b606a6554…

MALICIOUS

PDF

35.3 KB Authoring application: Adobe PDF Library 9.0
MD5: d090b9843c60b900772393922d05c0f6 SHA-1: 77ec41dc185c1ccea1a5ec988ce2093f3b7cf8f6 SHA-256: fd16cf9b606a6554cd2cffbce0ffa309739bb06dcac67d8716456c7beba00b4a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to distribute further malicious content. ClamAV detected this as Pdf.Phishing.TtraffRobotInstall, indicating a phishing or traffic redirection scheme. The ML classifier also strongly flagged this as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://fizoxilib.weebly.com/uploads/1/3/0/4/130476271/b79914164ab5e.pdf
    • http://louisagdesign.com/uploads/1/3/0/6/130604273/ec6fea11.pdf
    • http://diz.fazenda2.ru/uploads/2020/01/27/f336648fafa0a5.pdf
    • http://kavivo.migraskope.info/uploads/2020/01/28/lowekotiratex.pdf
    • http://servis-nadom.ru/uploads/2020/01/28/2289757.pdf
    • https://xivekifiwixobol.weebly.com/uploads/1/3/0/2/130271250/mosifapijuwazujigali.pdf
    • https://pevebapudef.weebly.com/uploads/1/3/0/3/130323724/rebinate-likarejaliwiro.pdf
    • http://wheelchairjockey.com/uploads/1/3/0/4/130476506/3711092.pdf
    • https://kixovuvi.weebly.com/uploads/1/3/0/6/130604256/xuzotufuzulilebedor.pdf
    • https://daxivofe.weebly.com/uploads/1/3/0/4/130488304/bavefirabazi.pdf
    • http://ximex.78-taxi.ru/uploads/2020/01/28/rubefavujevupam.pdf
    • http://fitav.yusufkalayci.com/uploads/2020/01/29/cc670157e027.pdf
    • http://povi.artplatformfw.com/uploads/2020/01/29/8170511.pdf
    • http://wufutuji.nataliapetri.com/uploads/2020/01/27/sesik-kodofaw-zekemipepux-pewumovuvo.pdf
    • http://talap.uristy-lawyer.moscow/uploads/2020/01/29/masuwojos.pdf
    • http://javazelofu.comparateurdesbanques.com/uploads/2020/01/28/mifedukaxulonis_rojugopilepamov.pdf
    • http://vifito.pay-pass.pro/uploads/2020/01/29/43d92d67fc1b7.pdf
    • http://rosvostorg.ru/uploads/2020/01/27/65e9943.pdf
    • http://vuzavo.bottinnok.xyz/uploads/2020/01/27/jiwuv.pdf
    • http://thedoulaamanda.com/uploads/1/3/0/6/130639408/130639408.html#bollywood+movies+full+hd++mkv
    • http://povi.artplatformfw.com/uploads/2020/01/29/8170

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000158a.bin
2d4860ecd3d64dd0b98ec73efd387e41f9f438deb42827b8bb21c4e7c670aa51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x158A 7924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.