Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff27c763f81e1e1b…

MALICIOUS

PDF

39.1 KB Authoring application: QPDF
MD5: ba74958ed8bc786983b107c091af627d SHA-1: 087345cc81739ee4e33724825bfbd9e5c5619560 SHA-256: ff27c763f81e1e1ba2b263f4e139de3d4df8c8d855567b343f8be9585089e14a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests the primary purpose is to redirect users to a multitude of websites, potentially for phishing or SEO manipulation. The ClamAV detection and ML classifier further support its malicious nature, classifying it as Pdf.Phishing.TtraffRobotInstall-7605656-0.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://marketingforsalessuccess.com/uploads/1/3/0/2/130272551/sesipasug.pdf
    • http://clogdancing.me/uploads/1/3/0/6/130605292/2759784.pdf
    • http://mudwater.org/uploads/1/3/0/5/130590008/dc01270be594fb.pdf
    • http://thecourtesycafe.com/uploads/1/3/0/4/130435746/b4a78ea31ff.pdf
    • http://www.powerconcious.com/uploads/1/3/0/4/130483050/1289121.pdf
    • http://mom-entum.club/uploads/1/3/0/5/130588551/5077323.pdf
    • http://maintenancewestlondon.co.uk/uploads/1/3/0/6/130621413/detafojotatap.pdf
    • http://desphair.com/uploads/1/3/0/6/130639676/sexavom.pdf
    • http://tommycookdrums.com/uploads/1/3/0/6/130620669/8894b12.pdf
    • http://midwestlightingllc.com/uploads/1/3/0/6/130603878/aae889701940c.pdf
    • http://shardworld.com/uploads/1/3/0/2/130274349/0ad9d2bff629f5.pdf
    • http://conjecturebooks.net/uploads/1/3/0/7/130738861/zadafelulujoj.pdf
    • http://thceasoningsspaandhome.com/uploads/1/3/0/7/130776757/449fc9e8d.pdf
    • http://www.diradevelopments.com/uploads/1/3/0/6/130604487/pizovebo_bugiwa.pdf
    • http://ctlafrica.org/uploads/1/3/0/7/130775792/gagixiluwalokinabi.pdf
    • http://burningfiddleproductions.org/uploads/1/3/0/2/130271113/383a8317.pdf
    • http://villafrancaabogados.com/uploads/1/3/0/5/130588654/bukisugoto.pdf
    • http://graniteer.com/uploads/1/3/0/4/130483273/wibusajog.pdf
    • http://aesystems.org/uploads/1/3/0/8/130873918/vizezagufavesa-kexejeraxovi.pdf
    • http://www.gabydelossantos.com/uploads/1/3/0/2/130289767/5163282.pdf
    • http://allegroacademy.net/uploads/1/3/0/7/130739258/6811202.pdf
    • http://highjohnroot.com/uploads/1/3/0/3/130313314/b5eda53bfa03.pdf
    • http://madelynarthur.com/uploads/1/3/0/6/130621458/2b3b8d25053f.pdf
    • http://naturalbabymag.com/uploads/1/3/0/2/130270985/janami-gijomir-gufesolirovog.pdf
    • http://trojanhorsecustomconcealment.com/uploads/1/3/0/2/130288577/542ce.pdf
    • http://duboyouxixiazai.br3h.com/uploads/1/3/0/6/130639317/130639317.html#clerks+award+annual+leave
    • http://www.dirade

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003517.bin
50dee939d98f40b129eea36fe9c0e3ec7fecb19610746a4e8fad95695f76e5c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3517 7872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.