Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b95275512acee97…

MALICIOUS

PDF

39.2 KB Authoring application: QPDF
MD5: dd89b7a3d826b84e39ac6c70511b281b SHA-1: 201b535c0d9dd19d1d86f5c35b78f782ec2187d1 SHA-256: 0b95275512acee970c87c278ea53bf136f6bdf358421b62a65ee5c102c5f2e0e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a campaign to redirect users to potentially malicious content. The ML classifier and ClamAV detection further support the malicious nature of the file. While no scripts were explicitly extracted, the nature of the embedded links and the PDF structure suggests an attempt to exploit users through a phishing or redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://youuoyrecords.org/uploads/1/3/0/2/130273962/wewupuruku.pdf
    • http://sthfromnth.com/uploads/1/3/0/2/130287847/mexutavifizome-jovevopis-wepodapebemax.pdf
    • http://lerufegiko.ecobike-shop.ru/uploads/2020/01/28/zamirotumaw.pdf
    • http://beyondhillco.com/uploads/1/3/0/8/130813650/130813650.html#acute+on+chronic+combined+systolic+and+diastolic+congestive+heart+failure+icd+10
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001014.bin
b4a5f758692c8d757d6941c63efd4cc89790b783c57d033639a5269996907306		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1014 7568 bytes
font_01_sfnt_off00005e70.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E70 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.