Malicious PDF — malware analysis report

Static analysis result for SHA-256 09904ecb4fa6e7f6…

MALICIOUS

PDF

39.3 KB Authoring application: QPDF
MD5: 528f715b16ee17f84b546d98740f2fd8 SHA-1: ed7b7cbb1f45529e6d4c1596bc1a47096e50dd2b SHA-256: 09904ecb4fa6e7f653b6593b5666751588be232987db374ca10a4913ca2fd972
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a mass of external links to other PDF files, disguised as a syllabus, which is a common lure for phishing attacks. The heuristic 'PDF_SEO_LINK_FARM' and the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly indicate a phishing campaign. The embedded URLs are likely used to distribute further malicious content or redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://highercallingentertainment.com/uploads/1/3/0/7/130776162/fidikiloro.pdf
    • http://celesteenriquez.com/uploads/1/3/0/2/130289282/masixiz.pdf
    • http://premiumadultdiapers.com/uploads/1/3/0/5/130588157/946a5396c2e.pdf
    • http://ellebrealchemy.com/uploads/1/3/0/7/130738996/f35fc7434e1867.pdf
    • http://madengineersftc.com/uploads/1/3/0/6/130639493/9cf1dc.pdf
    • http://www.rossawilnopolska.com/uploads/1/3/0/5/130590008/rofodos.pdf
    • http://moriahellamason.com/uploads/1/3/0/5/130551239/1710380.pdf
    • http://rootstogrow.com/uploads/1/3/0/6/130621285/c1b328824cc8.pdf
    • http://connectionsthruart.com/uploads/1/3/0/6/130605380/demoga-loxisujijis.pdf
    • http://rudgeramos.com/uploads/1/3/0/7/130775831/97518.pdf
    • http://www.fingervalley-pr.com/uploads/1/3/0/4/130476506/4252069.pdf
    • http://www.jshandymanservicesllc.org/uploads/1/3/0/8/130814976/e497a7b.pdf
    • http://tranquilswim.com/uploads/1/3/0/7/130740510/wipubexuta.pdf
    • http://drandrewwalker.com/uploads/1/3/0/5/130545884/lerimuvaxuv-gogiwu.pdf
    • http://smokeandmirrorsbeauty.com/uploads/1/3/0/2/130272250/pifiwigutomipu-zevegitex.pdf
    • http://apeaceofcare.com/uploads/1/3/0/8/130873962/fowuxosiburul_zesitana.pdf
    • http://campkennedy.com/uploads/1/3/0/3/130323423/2050c75314667.pdf
    • http://melodyarcade.net/uploads/1/3/0/5/130551089/kolutafivagupezaw.pdf
    • http://msxtech.net/uploads/1/3/0/6/130620681/4861075.pdf
    • http://townhousemarketinggroup.com/uploads/1/3/0/7/130775912/199a8c23bb6f.pdf
    • http://medicaiddrugrehab.com/uploads/1/3/0/2/130287898/47fe9.pdf
    • http://admiralvapors.com/uploads/1/3/0/2/130289623/lununixijusori-povuvujasupefoz.pdf
    • http://www.networkdua.com/uploads/1/3/0/6/130604369/6009649.pdf
    • http://lulalovely.com/uploads/1/3/0/5/130540178/595810.pdf
    • http://xciteeducation.com/uploads/1/3/0/4/130488914/130488914.html#dsssb+stenographer+syllabus+2020

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003591.bin
d3643617ee983b3868d46ae4ead4a8cbe028b93e4c1d5ea46f7962041a13a213		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3591 8192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.