Malicious PDF — malware analysis report

Static analysis result for SHA-256 06a49eb07e6e548e…

MALICIOUS

PDF

44.5 KB Authoring application: pdf-parser
MD5: 13e6d4a259e0fe9d7c5d41e5220614a7 SHA-1: bc51daa9a8faf1edb229608ac2ecfa02653e5514 SHA-256: 06a49eb07e6e548e53383740fe8bff72ef2f4de4f6105d826b25b0d8985e5905
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to drive traffic to these external resources, which could be for SEO manipulation or to serve as a distribution point for further malicious content. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7850996-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7850996-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mymoneyways.com/uploads/1/3/0/3/130313179/bifimefexi-kezugedarir-nipejifonuju-tegareli.pdf
    • http://quietspeculation.net/uploads/1/3/0/5/130539102/4245616.pdf
    • http://coragraphicdesign.com/uploads/1/3/0/4/130476887/1595278.pdf
    • http://midtownatlantachiropractor.net/uploads/1/3/0/6/130604406/busojumotak.pdf
    • http://561sixthave.com/uploads/1/3/0/6/130603860/715696.pdf
    • http://cavsummit.com.au/uploads/1/3/0/6/130621841/senosefiwim.pdf
    • http://creativetrekkie.com/uploads/1/3/0/5/130590561/e7ce6.pdf
    • http://guril.support-account.net/uploads/2020/01/28/970948.pdf
    • https://lerulevogoxeb.weebly.com/uploads/1/3/0/5/130551302/pixanatup.pdf
    • http://mhdtechnologycorp.com/uploads/1/3/0/5/130588150/303e6d.pdf
    • http://bimplicity.net/uploads/1/3/0/5/130539229/18e34b303.pdf
    • http://arbofor.fi/uploads/1/3/0/5/130539165/gesivegisefapobixebo.pdf
    • http://vikkisvinyl.com/uploads/1/3/0/3/130323329/lonubug_ximavopogox.pdf
    • https://vibasaxenoxu.weebly.com/uploads/1/3/0/4/130488698/5393860.pdf
    • http://oanastanciu.weebly.com/uploads/1/3/0/2/130287919/3172437.pdf
    • http://stavangerfitness.com/uploads/1/3/0/2/130272440/sexazo.pdf
    • http://nwintegrativeprimarycare.com/uploads/1/3/0/6/130639214/bf3d44b7fd10.pdf
    • http://lafigiv.blamecharlie.com/uploads/2020/01/28/3582618.pdf
    • http://pittsburghcatchwrestling.com/uploads/1/3/0/2/130272086/8956481.pdf
    • http://nliaustralia.com/uploads/1/3/0/4/130436365/30cdcbc38d11c.pdf
    • http://mmorrisld.com/uploads/1/3/0/5/130543173/vitifazipijipup-nazivuzil-ninekejo.pdf
    • http://moyo-up.de/uploads/1/3/0/4/130491850/155fc2dd6fa0f.pdf
    • http://annmariebagge.com/uploads/1/3/0/6/130604515/pawekigeruzivipod.pdf
    • http://makahisland.com/uploads/1/3/0/6/130604148/4352838.pdf
    • http://trouthide.com/uploads/1/3/0/3/130379426/2670230.pdf
    • http://tbndesigns.com/uploads/1/3/0/5/130589244/130589244.html#burger+king+angebote+aktuell+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017d9.bin
8a79744a0ffe7d3dc5dca709e51a601b82c401ca7985ec0c4b8a7afccc645639		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17D9 9972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.