Malicious PDF — malware analysis report

Static analysis result for SHA-256 01039c8f08742ede…

MALICIOUS

PDF

115.1 KB Authoring application: Soda PDF
MD5: 924f7cfe0439dfac1f6fdf504676b12b SHA-1: b290e90322c6762cefc45c43d8940ae1b37c5dea SHA-256: 01039c8f08742ede4659b13bd7cdec85f60b51a9a4b7c4450e260357cdb8b240
192 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: User Execution T1566 Phishing T1566.002 Phishing: Spearphishing Attachment

The PDF contains a large number of external links, many of which are structured as numeric slugs, indicating a potential SEO link farm for distributing malicious content. The 'SE_BROWSER_INSTALL_LURE' heuristic strongly suggests the document's purpose is to trick the user into installing a fake browser update or extension. ClamAV detection and ML classification further support its malicious nature, likely as a phishing or malware delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://royalsingalongparties.com/uploads/1/3/0/5/130589083/giwifesava-powefigi.pdf
    • http://cherishedvessels.com/uploads/1/3/0/3/130323727/856685.pdf
    • http://adsmanila.com/uploads/1/3/0/6/130639304/61697a838106f7e.pdf
    • http://bergencabinets.com/uploads/1/3/0/4/130491757/bikoledis.pdf
    • http://sportsbus.com/uploads/1/3/0/5/130590051/watutuzosi_pexakodobaxiz_beriwuvegoz_zifusesebewe.pdf
    • http://acpstudios.com/uploads/1/3/0/6/130604765/dac7890fbc2520.pdf
    • http://agentrh.com/uploads/1/3/0/6/130640004/4046678.pdf
    • http://jowuref.china-business.xyz/uploads/2020/01/28/12411aa7c.pdf
    • http://acause2travel.org/uploads/1/3/0/3/130313585/bukadibel.pdf
    • http://thepadremotel.com/uploads/1/3/0/6/130620863/bukixewukavikor-sagobizozoseni-burim.pdf
    • http://bakedbounties.com/uploads/1/3/0/5/130550763/pipokepumutetop-fesodojekuse.pdf
    • http://misbailes.com/uploads/1/3/0/6/130604320/130604320.html#theory+of+plate+tectonics+easy+definition
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000149b.bin
cbed9fbff03e4a6980b7396504a597283f18aed46278745b50f4d2c77906c051		 pdf-font-stream PDF embedded font (sfnt) at offset 0x149B 9660 bytes
font_01_sfnt_off00018912.bin
de2297662dbe229d67e7b7024492c73963dbb162e8d47db466d52b7cb21c240d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18912 3932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.