Malicious PDF — malware analysis report

Static analysis result for SHA-256 1ba605a42540379e…

MALICIOUS

PDF

33.1 KB Authoring application: pdf-parser
MD5: 1b5c0344c3b347a815343160896f7796 SHA-1: 69aa2a352162953485acd95de4de63c14fb75716 SHA-256: 1ba605a42540379ea7f835c8c00d091f7b688043988fabc12c3a7f051ba72252
150 Risk Score

Malware Insights

MITRE ATT&CK
T1204.001 User Execution: Malicious Link T1566.002 Phishing: Spearphishing Link

The sample is a small PDF containing a mass of external links, triggering the PDF_SEO_LINK_FARM heuristic. The document body uses a lure related to an 'Alcoholics Anonymous book pdf' to attract users, and the embedded URLs lead to other PDFs hosted on various compromised or free hosting services like Weebly, which is characteristic of SEO poisoning and phishing campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://neilpierceallen.weebly.com/uploads/1/3/0/3/130379743/tovugibewosove.pdf
    • http://nicolejzimmer.com/uploads/1/3/0/5/130545745/tutepuvug-bapowupafal.pdf
    • https://bezesaxomekif.weebly.com/uploads/1/3/0/5/130588936/lerutobesikigujiwe.pdf
    • http://mhschoirs.weebly.com/uploads/1/3/0/5/130590392/beminiweb_bewikovuliz_fepanagazal_nubenuputegiwe.pdf
    • https://mobitexexed.weebly.com/uploads/1/3/0/6/130604288/zifagazebokaku-vofuxegarerumo.pdf
    • http://massagetresbelle.com/uploads/1/3/0/5/130588731/gafele-puvajusomufivex-wediropajoxa-lazasapuzoze.pdf
    • http://op1620.com/uploads/1/3/0/2/130272988/1771329.pdf
    • http://panapus.desarrollo365.com/uploads/2020/01/29/a7661513539.pdf
    • http://retrovideogamez.com/uploads/1/3/0/6/130603927/xebasolukotaje.pdf
    • http://mandyfitzgerald.com/uploads/1/3/0/4/130483345/6729619.pdf
    • http://shopitopu.fun/uploads/2020/01/28/jupawilabokalatir.pdf
    • http://lalowok.audiostart40.icu/uploads/2020/01/27/ridufafavife.pdf
    • http://morsecodedesigns.com/uploads/1/3/0/2/130289385/xasagu.pdf
    • http://propertytransformationsllc.com/uploads/1/3/0/6/130640178/vusubevexogif_jomosoz.pdf
    • http://moodlabnewlife.nl/uploads/1/3/0/2/130273801/7145329.pdf
    • http://theparispapers.net/uploads/1/3/0/5/130539795/devowogede.pdf
    • http://cheyennecoffeeco.com/uploads/1/3/0/2/130289235/3761722.pdf
    • http://commercialcompliance.com/uploads/1/3/0/6/130639241/3655189.pdf
    • http://ultracooltrends.com/uploads/1/3/0/5/130546432/4313e0fa6.pdf
    • http://4thandwallace.com/uploads/1/3/0/4/130489572/1522e76ea0e492.pdf
    • http://thebalancedrecipe.com/uploads/1/3/0/5/130590235/f4953.pdf
    • http://rehphotography.org/uploads/1/3/0/6/130605505/130605505.html#alcoholics+anonymous+book+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000160c.bin
51b2be749cc818537958cfb3b21812db2d105e3c97dea89729d95e802eadcff4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x160C 7132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.