Malicious PDF — malware analysis report

Static analysis result for SHA-256 15b0d3ad799bb192…

MALICIOUS

PDF

100.8 KB Authoring application: Scribus
MD5: d21a3fd81a8fadfcd98bf1c24cb2f172 SHA-1: 15a0be7db43158851b4b32eda0b000862d703fe2 SHA-256: 15b0d3ad799bb19208b6fef79973a3e871398b4e1a0720eb97059c89aa52638c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests the document is designed to redirect users to malicious or compromised websites. The ML_NYX_PDF_MALICIOUS and ClamAV detections further support its malicious nature, classifying it as a dropper. The primary attack pattern involves luring users to click on these links, likely leading to further malware downloads or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7923188-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7923188-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mindregard.com/uploads/1/3/0/6/130605115/9013258.pdf
    • http://fairvotepiercecounty.org/uploads/1/3/0/6/130605167/maziwugamupuge.pdf
    • http://okiegear.net/uploads/1/3/0/7/130775587/5563543.pdf
    • http://applicationclicks.com/uploads/1/3/0/8/130873927/8392982.pdf
    • http://johnsonranchpta.com/uploads/1/3/0/5/130551310/305224.pdf
    • http://thanksvember.com/uploads/1/3/0/2/130270914/6dc12b1.pdf
    • http://day1entertainment.org/uploads/1/3/0/3/130323510/zesizegosumadiwo.pdf
    • http://www.santicreations.com/uploads/1/3/0/8/130814579/2473265.pdf
    • http://aftermat.com/uploads/1/3/0/7/130775590/c7436.pdf
    • http://jumping-paws.net/uploads/1/3/0/5/130539612/74ddbc31.pdf
    • http://midcenturymomern.com/uploads/1/3/0/4/130490719/7881163.pdf
    • http://fabojer.store/uploads/1/3/0/6/130639827/9073841.pdf
    • http://taephotography.com/uploads/1/3/0/3/130379167/koromu_xuwen_manaw.pdf
    • http://rexinkscreenprinting.com/uploads/1/3/0/3/130313113/buvuwuk_rajofemosare_wuduvaju.pdf
    • http://barrusmemorialrace.com/uploads/1/3/0/8/130813642/130813642.html#aushadhi+vanaspati+in+marathi
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001001e.bin
2a9c0dc061a0cd1c2062188d1bbda2f4d84d21f0e4aeb7e2c31ffc8558a87900		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1001E 5172 bytes
font_01_sfnt_off00011780.bin
7b7e957e1edcdf6c20a3a6cb877bb9e29d9467786b8474ec3c934cc2a603bfd8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11780 22344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.