Malicious PDF — malware analysis report

Static analysis result for SHA-256 05426e19aa517ec3…

MALICIOUS

PDF

39.7 KB Authoring application: PDFedit
MD5: d50261ced16e355377e50db62fd5af96 SHA-1: eb202188e45d064a51fbd3d3535eeeae2ec1df0c SHA-256: 05426e19aa517ec3e486badaaa488c7440d58ab1bd4abf36ee89402e21c9e0c9
160 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, suggesting a phishing or malicious content distribution scheme. The presence of a 'SE_DOWNLOAD_BUTTON' heuristic further supports the lure of downloading potentially harmful files. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a high ML classifier score confirm the malicious nature. The document body, though partially corrupted, contains references to exam questions and embedded URLs, indicating a phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cashmere-shop.ru/uploads/2020/01/29/lofufu.pdf
    • http://wexefepe.audiostart10.icu/uploads/2020/01/28/wawawugu.pdf
    • https://nivobigud.weebly.com/uploads/1/3/0/5/130544448/bedode-dabagaxus-tadenug.pdf
    • http://ensamble7.com/uploads/1/3/0/6/130603968/nedizet-tapoze-pizawarujug-gavul.pdf
    • http://egitimcilerdenbatikhikayeler.com/uploads/1/3/0/5/130551927/sosix.pdf
    • http://fscar.org/uploads/1/3/0/6/130604264/446279.pdf
    • http://luctravers.com/uploads/1/3/0/6/130621063/9a5cb.pdf
    • http://stokesed508webpage.com/uploads/1/3/0/4/130476917/130476917.html#comptia+n+exam+questions+and+answers+pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000112e.bin
5c82bfa0227d86a2b3362df790b85c24c4509fc49e0a25c4e5482e6ec39436e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x112E 8384 bytes
font_01_sfnt_off000053bb.bin
e88effe13a8d943ff19657e8b2d28c221ed8e312416d347c56a0497fda1469d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53BB 16300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.