Malicious PDF — malware analysis report

Static analysis result for SHA-256 065fb16e2168187e…

MALICIOUS

PDF

55.0 KB Authoring application: Serif PagePlus
MD5: 71650a37d4cc11f58567d53f3998951f SHA-1: 12e830722994414e26af5acfc574f3409877cc13 SHA-256: 065fb16e2168187e96c959e84b8169a5503f63abf8b3aa93e6b489af5e270724
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document is identified as malicious by multiple heuristics and a machine learning classifier, specifically flagged for a link farm and a password-protected archive lure. The embedded URLs, such as http://catapultband.com/..., suggest a distribution mechanism for further malicious content. The document body, though heavily obfuscated, appears to be a lure disguised as a software manual to trick users into downloading a password-protected archive, likely containing a second-stage payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://catapultband.com/uploads/1/3/0/6/130620560/wenefupasogoluz-lizajazapu-kewoza.pdf
    • http://nurseventurers.com/uploads/1/3/0/4/130483770/dutezipogufati_jupagibi_matoposibuvofi.pdf
    • http://yahonlytimes.com/uploads/1/3/0/4/130435857/gutagab-luwasep.pdf
    • http://occultaluna.co.uk/uploads/1/3/0/5/130588787/6c9582.pdf
    • http://www.goldenapp-sa.com/uploads/1/3/0/8/130814235/fufap.pdf
    • http://wcnit.com/uploads/1/3/0/7/130775525/6117288.pdf
    • http://theapostolicinititative.org/uploads/1/3/0/3/130323552/nipemusa.pdf
    • http://crazyjgtheartteacher.com/uploads/1/3/0/4/130483978/2f9650ec94.pdf
    • http://dealeydivision.us/uploads/1/3/0/8/130813883/juxugevidenosun.pdf
    • http://www.goodamericandollars.com/uploads/1/3/0/4/130488811/c9b674eb1.pdf
    • http://boda120499.com/uploads/1/3/0/3/130313588/8746300.pdf
    • http://remaxoptima.org/uploads/1/3/0/5/130544954/wajobele_xozegotijox_sigesoteluwaju.pdf
    • http://www.ubmstone.com/uploads/1/3/0/2/130271232/4577637.pdf
    • http://patagoniafriends.com/uploads/1/3/0/6/130639839/5491941.pdf
    • http://rebylez.store/uploads/1/3/0/2/130287538/b7604.pdf
    • http://orthogistic.com/uploads/1/3/0/5/130589239/lapub.pdf
    • http://www.ossirising.com/uploads/1/3/0/6/130620950/jetikasamuzup_lasufupaka_kexaki_zuzitelubaradoz.pdf
    • http://enclaveconnection.com/uploads/1/3/0/7/130775778/518e44820da964.pdf
    • http://amslickdeals.com/uploads/1/3/0/5/130588790/xikigusogotogidale.pdf
    • http://uncertainaddict.com/uploads/1/3/0/2/130289640/depig.pdf
    • http://chicagonightlifepass.com/uploads/1/3/0/5/130588556/3333448.pdf
    • http://bbq4hope.com/uploads/1/3/0/6/130604447/kuzunewiwifa-pafibobofimodeb.pdf
    • http://www.strategicmeetingtechpodcast.com/uploads/1/3/0/5/130541552/130541552.html#manual+adobe+illustrator+cc+2017+espa%C3%B1ol
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000411b.bin
3846a17eae5fabd0057193daf355264e25db511ec79330f1ff7e728eab53c887		 pdf-font-stream PDF embedded font (sfnt) at offset 0x411B 6908 bytes
font_01_sfnt_off000056c8.bin
d8fa1d180e0a505d0c2b16a5f695b88c8b58e4db502161fc5572c07a7daa196e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x56C8 16488 bytes
font_02_sfnt_off000070ef.bin
42e41a21d6cb58aa3943ff0d0fcc68bbef9d614d2f58caac2e9864037a5fdea6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70EF 10988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.