Malicious PDF — malware analysis report

Static analysis result for SHA-256 04b9c64d8f8a1f7f…

MALICIOUS

PDF

50.0 KB Authoring application: GIMP
MD5: 1c735ea397147769307bb56fa34dabd0 SHA-1: 2355688e342e2abbeb784c211249b8d3b3d00b8a SHA-256: 04b9c64d8f8a1f7f1b7310aedf4dd1bbfc3143edd57c2ae8eb3e1555130659b0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample was detected as malicious by ClamAV and an ML classifier, and exhibits a PDF_SEO_LINK_FARM heuristic. This indicates the PDF is likely a dropper or part of a link farm designed to redirect users to malicious content, specifically other PDFs. The numerous embedded URLs point to a strategy of distributing further malicious payloads or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7900403-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7900403-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.obratovluge.com/uploads/1/3/0/4/130477335/jivexedup.pdf
    • http://agnesscottclassof1965.com/uploads/1/3/0/2/130289229/lokarobopadisel-gumivusodot-wuforibevi-rulovuz.pdf
    • http://clinicalcampus.com/uploads/1/3/0/6/130639854/jiteboxelijit_pemejajubev_wawafojezi_kozosipipitipu.pdf
    • http://iswheatoncollegeopen.com/uploads/1/3/0/6/130639616/8c65ab.pdf
    • http://www.asthebookpageturns.com/uploads/1/3/0/2/130271017/jofamajema-zefat-lamam-keponorixaf.pdf
    • http://tabletopleague.com/uploads/1/3/0/6/130639951/tosozexagudik-vagorifodidabi.pdf
    • http://nweqf.com/uploads/1/3/0/6/130621063/papubadigafawafiwug.pdf
    • http://tile-houston.com/uploads/1/3/0/4/130488096/9810314.pdf
    • http://webmail.elleextensioncils.com/uploads/1/3/0/2/130289564/f05ed040.pdf
    • http://bcaesthetics.com/uploads/1/3/0/5/130589095/temilomixupugex.pdf
    • http://mail.thechimneypro.com/uploads/1/3/0/5/130550986/ladatukulatexitux.pdf
    • http://whiskeyvegan.com/uploads/1/3/0/4/130475982/bapogapejekux.pdf
    • http://mta-sts.mxe.alldogobedience.com/uploads/1/3/0/5/130544110/nitupeb-radugedis-mowabinevumome.pdf
    • http://stpaulschurchfulda.org/uploads/1/3/0/3/130323251/33dc0c.pdf
    • http://mylunarsign.com/uploads/1/3/0/3/130313140/ac9829e4fdfe.pdf
    • http://mayasink.com/uploads/1/3/0/8/130814559/f98be9.pdf
    • http://themetropolmedia.com/uploads/1/3/0/5/130590058/gegokokema.pdf
    • http://andreasutrickarttherapy.com/uploads/1/3/0/6/130621900/pezot_rasofiwoxoj_lonuwaluviw.pdf
    • http://bshppopup.com/uploads/1/3/0/5/130543063/130543063.html#pseudomonas+aeruginosa+cephalosporinase
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000058cc.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58CC 2864 bytes
font_01_sfnt_off00006575.bin
b736ee14a961f37f414b6aa0cfa890121660b8b6a189e67503f9cba7524335ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6575 8072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.