Malicious PDF — malware analysis report

Static analysis result for SHA-256 16ed78f79ad8d59f…

MALICIOUS

PDF

41.5 KB Authoring application: Serif PagePlus
MD5: 2cb02169a2cfe93f02f5ae3718a94ba5 SHA-1: 42dbe22051c0a5bb68637ff420edd9e4aa918c32 SHA-256: 16ed78f79ad8d59f40e7504101ecb3f10440ce0e13e3f4e062a84ade434eea49
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic, which is indicative of a phishing or malware distribution scheme. The embedded URLs likely lead to further malicious content or phishing pages. The ClamAV detection and ML classifier further support the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kathrynluster.net/uploads/1/3/0/6/130604415/bozisiluw.pdf
    • http://triamantdigital.com/uploads/1/3/0/7/130776821/fozisiwolurasibe.pdf
    • http://ulessor.com/uploads/1/3/0/6/130639728/30500.pdf
    • http://pchelpcenter.weebly.com/uploads/1/3/0/6/130621654/ec79b8af.pdf
    • http://addongyan.com/uploads/1/3/0/5/130590702/misuzexosezi.pdf
    • http://replenishmysoul.com/uploads/1/3/0/3/130313237/meriperorekekaw-lujobelapur-tebeg.pdf
    • http://gatedot.evroplast92.ru/uploads/2020/01/28/vozeb.pdf
    • http://operationgringo.com/uploads/1/3/0/4/130436313/1913157.pdf
    • http://nuobeijing.devsite-1.com/uploads/1/3/0/7/130739983/130739983.html#graded+multiple-choice+english+tests-c1+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011c9.bin
490449e96f553cfaa373ff5bff521036f75b3e1071e0f919e88484e7307805e8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C9 8728 bytes
font_01_sfnt_off00004ed5.bin
8f568efb724e7d048265d42dcb028eba820296ab220ccb9909b3b22bd4f384b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4ED5 17364 bytes
font_02_sfnt_off000066cf.bin
63f5e27ee3d24cc00d413e59c301cc73ab377383609796993547673f2bea898c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66CF 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.