Malicious PDF — malware analysis report

Static analysis result for SHA-256 04a3c4cb2aeaee3a…

MALICIOUS

PDF

15.2 KB Created: 2020-03-18 11:04:10 +00:00 Authoring application: mPDF 5.7
MD5: d9d76d4f50624c534f1a78ae2a0daaae SHA-1: 7d3a8d410cb322d275017ea204297b31a572df70 SHA-256: 04a3c4cb2aeaee3aa226acdb564b6ce828c835e0c3eca3ade1558fc664edc704
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used in SEO poisoning to manipulate search engine rankings. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URLs, such as http://ieuicufioao.myhome.cx/1551550555552550/The-Witches-of-Eastwick-Eastwick-1-by-John-Updike.pdf, are the primary indicators of this activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9778

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Malware.Agent-9909945-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Malware.Agent-9909945-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ieuicufioao.myhome.cx/1551550555552550/The-Witches-of-Eastwick-Eastwick-1-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/3551556559555554/Couples-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/2552550554555/The-Coup-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/5550551552559556/Rabbit-Run-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/1555558553554/Bech-A-Book-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/2555559559556556/Rabbit-Redux-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/2551556550559/Still-Looking-Essays-on-American-Art-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/2555559558555558/Rabbit-At-Rest-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/3557550558559550/The-Complete-Henry-Bech-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/1556550555554/Pigeon-Feathers-and-Other-Stories-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/4554555558550555/The-Best-American-Short-Stories-1984-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/1550559555552553552/Higher-Gossip-Essays-and-Criticism-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/4557550555553557/Witches-With-the-Enemy-A-Novel-of-the-Mist-Torn-Witches-The-Mist-Torn-Witches-series-Book-3-by-Barb-Hendee.pdf
    • http://ieuicufioao.myhome.cx/4557558553554/Rabbit-Omnibus-Rabbit-Run-Rabbit-Redux-Rabbit-Is-Rich-by-John-Updike.pdf
    • http://ieuicufioao.myhome.cx/1550558553552552557/Ghosts-of-Witches-Past-Witches-of-Tower-Hill-1-by-Corinne-O-39-Flynn.pdf
    • http://ieuicufioao.myhome.cx/3553556553550/Witches-Abroad-Discworld-12-Witches-3-by-Terry-Pratchett.pdf
    • http://ieuicufioao.myhome.cx/3559556556557552/The-Trouble-With-Witches-Wicked-Witches-of-the-Midwest-9-by-Amanda-M-Lee.pdf
    • http://ieuicufioao.myhome.cx/3554556552555550/Witches-in-Red-Mist-Torn-Witches-2-by-Barb-Hendee.pdf
    • http://ieuicufioao.myhome.cx/3558559557554559/Kissing-the-Bridesmaid-by-Dominique-Eastwick.pdf
    • http://ieuicufioao.myhome.cx/3554552556551558/Hunting-JC-Sherman-Family-1-by-Dominique-Eastwick.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.