Malicious PDF — malware analysis report

Static analysis result for SHA-256 12293eef19811860…

MALICIOUS

PDF

43.4 KB Authoring application: pdf-parser
MD5: 4ac68264b981de25285ee4f156bf8475 SHA-1: 1e0a92774d3895b57a5d84c7defac1f9525b4696 SHA-256: 12293eef198118606a427f5ce6ed90a9648bb629b2759ca8d8d73242cf75e654
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm designed to distribute malicious content or phish users. The ML classifier and ClamAV detection further support its malicious nature. While no scripts were explicitly extracted, the structure and URL distribution are indicative of a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nashvilleperformancepsych.net/uploads/1/3/0/5/130550681/9015163.pdf
    • http://mountainplayschool.com/uploads/1/3/0/5/130541677/nefivivatexin.pdf
    • http://ms-j.org/uploads/1/3/0/6/130621432/dodonisovubagujo.pdf
    • http://infusion-web.com/uploads/2020/01/27/965c17b9d.pdf
    • http://msdixonart.com/uploads/1/3/0/2/130288453/c397272.pdf
    • http://delofty-official.com/uploads/2020/01/28/givanime.pdf
    • http://vanezo.gotaserena.com/uploads/2020/01/27/6979748.pdf
    • http://ondex.ru/uploads/2020/01/29/6921642.pdf
    • http://onlinefitnessunderground.com/uploads/1/3/0/5/130540789/b53033ad8cbb1a.pdf
    • http://pomel.cosmokot.ru/uploads/2020/01/27/c0663f7aae9.pdf
    • http://michaelshusko.com/uploads/1/3/0/6/130620511/130620511.html#datepicker+date+format+yyyy-+mm-+dd
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001247.bin
b99300592b660159281d8791b0ca4e93c65b5c747a10731cbdbf77c0209bc0ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1247 9136 bytes
font_01_sfnt_off00006e1d.bin
4d9ec2aec8f1ca6bebe1b56492fd55a77bba3a6e98efb76508c1b835d4eb9912		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E1D 2860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.