Malicious PDF — malware analysis report

Static analysis result for SHA-256 13598b21f4005627…

MALICIOUS

PDF

59.2 KB Authoring application: PDFBox
MD5: 4f4fda5e26130204a77b219289a32d17 SHA-1: d041e4bd6d1e9af78abc7af4e300e3ad71b423f2 SHA-256: 13598b21f4005627c680bd85bfcd95e4dcf254c74dfe763f1b5292b69d45ec2c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass external link farm, directing users to 31 different PDF files hosted on various domains. This behavior is indicative of a phishing or SEO manipulation scheme, aiming to drive traffic or distribute further malicious content. The ClamAV detection and ML classifier further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://worldwide.international/uploads/1/3/0/6/130604642/ed4496f25.pdf
    • http://thenational-125sclark.com/uploads/1/3/0/2/130291499/tesulikidosidaw.pdf
    • http://tcapstransparency.com/uploads/1/3/0/3/130379246/tamivodobi.pdf
    • http://www.cambridgepocketsquares.co.uk/uploads/1/3/0/4/130483210/mixonujovunukowemej.pdf
    • http://asterisq.net/uploads/1/3/0/7/130775380/jegulujimaruk.pdf
    • http://www.angellworks.net/uploads/1/3/0/6/130604477/14494.pdf
    • http://mail.lochletter.com/uploads/1/3/0/6/130620337/a87d0.pdf
    • http://myrichardsonrealty.com/uploads/1/3/0/2/130270833/xefilajotofawa_wulumelo.pdf
    • http://webdisk.creeksidesupplyinc.com/uploads/1/3/0/5/130544086/zokututasax.pdf
    • http://katmacenas.com/uploads/1/3/0/3/130313159/7f2adad.pdf
    • http://eessw.eesforjobs.com/uploads/1/3/0/5/130551687/sibupo.pdf
    • http://barringtonmiddleschoolpto.com/uploads/1/3/0/6/130639729/3221229.pdf
    • http://mail.brazosvalleycheese.com/uploads/1/3/0/5/130588999/nupiniwida.pdf
    • http://www.disabilityindiana.org/uploads/1/3/0/7/130740376/77a921f4d7d3.pdf
    • http://mtmsmusic.com/uploads/1/3/0/5/130588672/766992ede29986.pdf
    • http://rayrobbinsagency.com/uploads/1/3/0/3/130323355/kiriwakowezegel.pdf
    • http://catherinemao.studio/uploads/1/3/0/7/130740464/2321676.pdf
    • http://robthompsonmassage.com/uploads/1/3/0/6/130621784/2115071.pdf
    • http://stayingsafe.co.uk/uploads/1/3/0/4/130483491/b41bf8e2fed02.pdf
    • http://hiddenvalleycatfish.com/uploads/1/3/0/2/130272396/pawedivonawuko.pdf
    • http://eastmanbookshop.com/uploads/1/3/0/6/130621140/3009448.pdf
    • http://techdependence.info/uploads/1/3/0/7/130775734/nikitipure.pdf
    • http://lonestardb.com/uploads/1/3/0/7/130739624/f5b200d0d0b.pdf
    • http://accomozcontact.com/uploads/1/3/0/6/130605510/laben-jukewebo.pdf
    • http://bigleaffarms.com/uploads/1/3/0/7/130775557/3213845.pdf
    • http://wondertraveltours.xsideas.com/uploads/1/3/0/3/130323727/130323727.html#appsc+group+2+syllabus+2018+in+english

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000084ae.bin
6b3f8fbdd50193a7cb9bc255b06eb425c17b07158bcada72d27f933563d81801		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84AE 8020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.