Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e16f0aaf67b2b4b…

MALICIOUS

PDF

64.6 KB Authoring application: Adobe PDF Library 9.0
MD5: 1b59f817c8fc84451945b5e02660afd6 SHA-1: ae03433fb046240fe6d3af8a09d612748ecf131d SHA-256: 0e16f0aaf67b2b4b55d1497930b640ffd23e52600555b737b24f51e31a205f45
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO poisoning or to distribute malware. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were directly extracted, the PDF structure itself facilitates the distribution of malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://biglifecc.com/uploads/1/3/0/6/130639946/dezuwumafepabugos.pdf
    • http://morgane-claudine-laurent.com/uploads/1/3/0/6/130639413/1094045.pdf
    • http://nqxr.com.au/uploads/1/3/0/4/130488955/ab2db5.pdf
    • http://knoxfoodtours.com/uploads/1/3/0/4/130489437/577a06243b.pdf
    • http://2psp.fr/uploads/1/3/0/2/130287454/vunesimusizubik.pdf
    • http://dedicatedladiesconcrete.com/uploads/1/3/0/2/130271061/dutizimatibeneg.pdf
    • http://drandrewwalker.com/uploads/1/3/0/2/130272477/9fa6bd3da50fe2.pdf
    • http://pvjv.com/uploads/1/3/0/5/130550969/3516f3809e0.pdf
    • http://thegeeksdomain.com/uploads/1/3/0/6/130640218/larupem.pdf
    • http://sosdetail.com/uploads/1/3/0/7/130739220/02ec61e.pdf
    • https://xilajobuzaluwu.weebly.com/uploads/1/3/0/3/130313176/459763.pdf
    • http://rochecenter.org/uploads/1/3/0/5/130590548/130590548.html#from+monk+to+money+manager
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://static.68.124.217.95.clients.your-server.de/uploads/2020/01/28/sowit.pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013fd.bin
23b87b2381628bf26895dfa2783aa6104e3e3209a80dcfb05558121dee0f1299		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13FD 9508 bytes
font_01_sfnt_off0000ac35.bin
23df611c204fcacea0cb1a1bd4777a81db0301add4d2a86387d9b428d0dd637c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC35 16648 bytes
font_02_sfnt_off0000c267.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC267 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.