Malicious PDF — malware analysis report

Static analysis result for SHA-256 02e46dc88942b12f…

MALICIOUS

PDF

35.0 KB Authoring application: pdf-parser
MD5: e759b700cdff611611910c8b94806b84 SHA-1: 47794f613c4d29d88f27a516f38ee161ab568239 SHA-256: 02e46dc88942b12f4eff0cba904e2c60696d1a74164f318060e2dc191cb9adde
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, disguised as a tool for converting PDF to PowerPoint. The heuristic 'PDF_SEO_LINK_FARM' and the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' indicate a phishing or malicious link distribution scheme. The embedded URLs likely lead to further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thedeepgame.com/uploads/1/3/0/6/130639385/gedefojajafodaf-gibefatow-gizagof.pdf
    • http://mail.nikocompanies.com/uploads/1/3/0/2/130287965/2032602.pdf
    • http://adaptiveplanningconsultant.com/uploads/1/3/0/2/130289792/kaxavebalogok.pdf
    • http://detailpoint.nl/uploads/1/3/0/3/130324011/noseruvukawup.pdf
    • http://obscience.org/uploads/1/3/0/4/130488831/wulabapubofowev_vawukutulit.pdf
    • http://cliquefashion.shop/uploads/1/3/0/3/130324050/fibifolutivapoxu.pdf
    • http://auctioncincy.com/uploads/1/3/0/3/130312996/f17ec331b1b.pdf
    • http://minerhosting.at/uploads/1/3/0/7/130775294/xozamex-jekex-zozemiwila.pdf
    • http://deviatefish.net/uploads/1/3/0/2/130274267/zedexil_susebolisibidun.pdf
    • http://nexgenmarketingagency.com/uploads/1/3/0/4/130435661/jazamazupu.pdf
    • http://motionalstudios.com/uploads/1/3/0/6/130620578/zufipemowimapefozet.pdf
    • http://debbiesdynamicdesigns.com/uploads/1/3/0/7/130775916/8655774.pdf
    • http://bridgeequityadvisor.com/uploads/1/3/0/8/130813136/xaporavej-sejeka-wapezajopisita.pdf
    • http://ictforpeace.net/uploads/1/3/0/6/130604177/dijotakewibineli.pdf
    • http://halobook.com/uploads/1/3/0/7/130740077/6022415.pdf
    • http://misdoc.com/uploads/1/3/0/4/130476624/tebapamileloja_kigosaxot.pdf
    • http://valleyofhemp.com/uploads/1/3/0/3/130379379/5507719.pdf
    • http://mygreencirclerealty.com/uploads/1/3/0/4/130490250/2857102.pdf
    • http://virtualprofessionalresumes.com/uploads/1/3/0/8/130873952/jivobofi.pdf
    • http://keshashouseoftranquility.com/uploads/1/3/0/8/130814009/feedd5fa384.pdf
    • http://rpmfosterpedia.com/uploads/1/3/0/8/130814534/naxebinisatupiz-gukige-lafowikeruton-wumaz.pdf
    • http://heartbodysoul.net/uploads/1/3/0/8/130813770/gokefeva_depawopa_nobol.pdf
    • http://bettabowls.com/uploads/1/3/0/3/130312925/fizozixufuxeluw-wusetipiduk-kojagubaxusot.pdf
    • http://133sterlingplace.com/uploads/1/3/0/6/130604716/8996365.pdf
    • http://advertisingsa.com/uploads/1/3/0/3/130379549/79637bbd.pdf
    • http://ciggysound.com/uploads/1/3/0/4/130483583/130483583.html#adobe+acrobat+pro+pdf+in+powerpoint+umwandeln

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002559.bin
aedf30dafb51fc2b4bbb57492ec14eb59cfe1c60352e73efc6a6fcf74fb743eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2559 7464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.