Malicious PDF — malware analysis report

Static analysis result for SHA-256 022869a9ff4e30d4…

MALICIOUS

PDF

89.8 KB Authoring application: GIMP
MD5: 77c2341e7e8e335be0b9a5f9ba0c42c0 SHA-1: 20bb6d1cde779536594d3185fbd678126db0a14a SHA-256: 022869a9ff4e30d454410b0fe0a3c7d5a0e4bf321971a6b0ced2e9cdb9837703
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file is identified as malicious by a machine learning classifier and ClamAV, specifically as a dropper. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous external links, with the first being http://judgeammendola.com/uploads/1/3/0/3/130313783/7978945.pdf. The heuristic 'SE_DOWNLOAD_BUTTON' suggests a visual lure to encourage downloads. These findings collectively point to a phishing or social engineering attack designed to trick users into downloading further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7624828-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7624828-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://judgeammendola.com/uploads/1/3/0/3/130313783/7978945.pdf
    • http://gatedot.evroplast92.ru/uploads/2020/01/28/a4ae7b573d.pdf
    • http://realmentespanola.com/uploads/1/3/0/4/130489157/bejoperor.pdf
    • http://sezodabux.amirhanov.com/uploads/2020/01/28/2182697.pdf
    • http://jevolare.paypal-support-limitted.com/uploads/2020/01/28/jatewasi-worufikubetoz-wasifaxomaduki-piresemarujog.pdf
    • https://refifetukinobev.weebly.com/uploads/1/3/0/3/130379902/vavopizubolubak.pdf
    • https://vapalaninu.weebly.com/uploads/1/3/0/5/130550885/54b7b89.pdf
    • http://ekki.co/uploads/1/3/0/5/130545985/tawaz.pdf
    • http://ogdentowingservice.com/uploads/1/3/0/3/130323632/130323632.html#download+kanda+sashti+kavasam
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001307.bin
7e7d2475c65ca8ad7f649f9fa8e95e3b2365f16b6ec04d662ae82f2afd9a609a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1307 7880 bytes
font_01_sfnt_off0000ef42.bin
3033f23fcffa8484ce9594d04184704a1610f7bac0023f428899864a6475b57e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF42 25724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.