Malicious PDF — malware analysis report

Static analysis result for SHA-256 18a280a6b4326a43…

MALICIOUS

PDF

44.7 KB Authoring application: Nitro PDF
MD5: dcd24303293c6f7d255647f6743cff8a SHA-1: 048705d2db9166841b81a8106da5088a9f279e0a SHA-256: 18a280a6b4326a434b4ca4792a43738693d96489fce6d68b5a2683bcdde7edb3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, pointing to external PDF files. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or distributing further malware. While no scripts were explicitly extracted, the nature of the embedded URLs suggests a potential for JavaScript execution or redirection to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://benkiashaninka.com/uploads/1/3/0/2/130272342/nibovep_niwof_funuzati_fexoku.pdf
    • http://aryneffert.com/uploads/1/3/0/6/130604117/zatube.pdf
    • http://stoonic.com/uploads/1/3/0/7/130739864/8a1173747fd4cd1.pdf
    • http://bashfitness.com.au/uploads/1/3/0/4/130491079/7916675.pdf
    • http://2051551albertaltd.com/uploads/1/3/0/7/130739693/dinemiwakafoje.pdf
    • http://chechnyaconference.ru/uploads/2020/01/29/eb8351cadd7c5c9.pdf
    • http://dorsetheartdoctor.com/uploads/1/3/0/5/130539457/130539457.html#simplify+square+roots+with+imaginary+numbers+calculator
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011be.bin
8225552ec0f97a55e8922e1d13be938f62e3e9cee1563efe0fb7d8a8731e75d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BE 9228 bytes
font_01_sfnt_off00005e0e.bin
3e9a9dfb40a01f9f7c9c545b28ba37f1de74591f2b47bc69a9983f40f3f3ebd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E0E 16080 bytes
font_02_sfnt_off00007270.bin
4fa858b82b445805eff69b872cfcae0b273ce6c644f001a2365b71733efe32ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7270 2988 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.