Malicious PDF — malware analysis report

Static analysis result for SHA-256 061bee53480fab2d…

MALICIOUS

PDF

50.9 KB Authoring application: Solid Converter PDF
MD5: f6684b400b146788625a1afb672fc8af SHA-1: 0161542098704b6259472bc813361bd7ddecd443 SHA-256: 061bee53480fab2d9e1cce031d142d128582da2d82ab8fb536a1d29507ee2ac7
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

This PDF document contains a mass external link farm, with numerous URLs pointing to other PDF files. The heuristic 'SE_BROWSER_INSTALL_LURE' indicates the document likely prompts the user to install a browser extension or update. This, combined with the numerous external links, suggests a phishing or malware distribution scheme. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://seanhaseymassage.com/uploads/1/3/0/6/130620783/2b4a09e.pdf
    • http://invrnc.net/uploads/1/3/0/2/130272428/c9602.pdf
    • http://newglasgowmassage.ca/uploads/1/3/0/6/130639445/xutexupilos.pdf
    • http://doyoucountfaith.com/uploads/1/3/0/3/130324137/8fb3c.pdf
    • http://colormeribbons.com/uploads/1/3/0/6/130605019/1575227.pdf
    • http://mycarlrogers.com/uploads/1/3/0/6/130621480/zunazemisugivi.pdf
    • http://adcounselling.net/uploads/1/3/0/5/130539697/juturudup_duwokajerirarab.pdf
    • http://snohomishdrivingrange.com/uploads/1/3/0/5/130540063/4503401.pdf
    • http://abullfrogstudio.com/uploads/1/3/0/5/130538836/siputewu-mabelozedenadal-gojadija.pdf
    • http://msmcelroy.net/uploads/1/3/0/2/130289749/talawiruxo.pdf
    • http://bernardobellostudio.com/uploads/1/3/0/7/130775692/130775692.html#html+input+type+file+change+name
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012c9.bin
d372b5c61ec841f1b577eb50a10e5a1f14b1d9c15c5395a309c73669780c9c95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C9 9236 bytes
font_01_sfnt_off00008148.bin
0c8b636322dcb4d69dd08a763b09c4b5ff2b7ea73056f43add13012560a79e6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8148 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.