Malicious PDF — malware analysis report

Static analysis result for SHA-256 feaab3cbdbb6bd41…

MALICIOUS

PDF

38.9 KB Authoring application: ImageMagick
MD5: eed6d81cef0a46d8c6dea061d3006201 SHA-1: e800505a3f9d9b514285b3bff47de56d92068818 SHA-256: feaab3cbdbb6bd41cb529ce43cadfd6391bd4c97a324f1bef7cb09dc0306dfcc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to external PDF documents, a technique often used for SEO manipulation or to distribute malware. ClamAV identified this as Pdf.Phishing.TtraffRobotInstall-7605656-0, and a machine learning classifier also flagged it with high confidence. The document body text is largely unreadable due to encoding issues, but the primary heuristic indicates a link farm strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cookingeasyfood.com/uploads/1/3/0/5/130588850/xozaxidutabono.pdf
    • http://www.forestgrovechiropracticclinic.com/uploads/1/3/0/3/130313729/bagugawijeju.pdf
    • http://natashaforouzannia.net/uploads/1/3/0/6/130620237/cef107.pdf
    • http://cabbagebee.com/uploads/1/3/0/6/130621932/fusolififizobet-bogesikowok.pdf
    • http://autodiscover.agricolavermont.com/uploads/1/3/0/6/130605113/polibinij.pdf
    • http://fiveminutememories.com/uploads/1/3/0/6/130621353/6b477.pdf
    • http://vicaraously.com/uploads/1/3/0/6/130604525/3d9ba.pdf
    • http://drdom.com.au/uploads/1/3/0/4/130488732/xenizekagi-nonuxesuj-liraxilu-dovulagisa.pdf
    • http://mylaraonline.com/uploads/1/3/0/5/130588695/xuwupewifa.pdf
    • http://merakifarmacy.com/uploads/1/3/0/7/130740617/javekusuzeb_xatevu.pdf
    • http://rentinspanishfork.com/uploads/1/3/0/5/130590399/dadolu.pdf
    • http://weartype.com/uploads/1/3/0/5/130541209/7835936.pdf
    • http://handheldnation.com/uploads/1/3/0/5/130589339/06f5a4fb3.pdf
    • http://kmwhittemore.com/uploads/1/3/0/6/130604550/b0067b5.pdf
    • http://mindfulevolution.net/uploads/1/3/0/7/130739460/dajazetomebax.pdf
    • http://numeracyshed.com/uploads/1/3/0/4/130435807/7547283.pdf
    • http://oneskylane.net/uploads/1/3/0/7/130738542/pomozika.pdf
    • http://newdawnbirthdoula.com/uploads/1/3/0/7/130775729/dovete_nusixeloxosun_powuv_tudewib.pdf
    • http://beyondblesstravel.voyagerwebsites.com/uploads/1/3/0/8/130813483/130813483.html#biotic+and+abiotic+examples+in+an+ecosystem

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003b15.bin
744d5f9fd7d4cff5d2cf1fb4e0292a47279ad5198d6a3c083b56198b26d7b8a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B15 7772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.