Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c68ae30d4e71376…

MALICIOUS

PDF

38.6 KB Authoring application: QPDF
MD5: ca6590f6ed88b26a1ce0fa217f3a96e7 SHA-1: aa5f049a97b083f044b2d706e74b1e9f1061b87d SHA-256: 1c68ae30d4e7137690a996cfa895eee59cbb1c3db3c1eedef00c44471f839ae3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to other PDF documents hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic and ClamAV detection. The ML classifier also strongly flagged this file as malicious. No scripts were extracted, and the document body was heavily obfuscated, preventing a more detailed analysis of the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sigroupusa.net/uploads/1/3/0/5/130588579/sitobawe.pdf
    • http://globalhealthapps.com/uploads/1/3/0/4/130483198/jonuxuni.pdf
    • http://mail.ourbirthinghome.com/uploads/1/3/0/6/130621826/450aaaa.pdf
    • http://sidemountainspecialtyfoods.com/uploads/1/3/0/2/130289222/zuwewuwedoxivaz.pdf
    • http://southforkmacro.com/uploads/1/3/0/2/130289365/dagavaletakad_vajesij_zinejuk.pdf
    • http://shapenv.com/uploads/1/3/0/5/130588786/gubulejamaxunugu.pdf
    • http://nextripchile.com/uploads/1/3/0/7/130738567/8642207.pdf
    • http://rjhomecontractor.com/uploads/1/3/0/6/130621141/zeninupup.pdf
    • http://poetmotorcycles.com/uploads/1/3/0/4/130478868/xesizup-wuxumaj-ritijatoxaxi-xijezigasika.pdf
    • http://claudiamurphy.com/uploads/1/3/0/6/130604153/9432718.pdf
    • http://mestizostacos.com/uploads/1/3/0/4/130476572/tamazokalita-bofavu.pdf
    • http://highlandrimpropertiesllc.com/uploads/1/3/0/4/130493816/331c87ea5.pdf
    • http://offgridbaraboo.com/uploads/1/3/0/7/130739505/9268579.pdf
    • http://mountainmotoadventures.com/uploads/1/3/0/4/130488584/1645915.pdf
    • http://surnamesonline.com/uploads/1/3/0/8/130814479/miroxubabipo-puwal.pdf
    • http://albrightchoir.com/uploads/1/3/0/6/130621915/divofiwujujoxaze.pdf
    • http://fashiontrendingstyles.com/uploads/1/3/0/7/130776349/8063451.pdf
    • http://teccsfsa.org/uploads/1/3/0/8/130814877/jumonipurejej.pdf
    • http://tiams.net/uploads/1/3/0/5/130590467/27888b264cd574.pdf
    • http://yuckbgone.net/uploads/1/3/0/6/130604542/7272067.pdf
    • http://meetthebeetles.info/uploads/1/3/0/4/130483290/loraxonodajufigipuze.pdf
    • http://www.munir-zakee-1.solightpro.com/uploads/1/3/0/7/130739433/teporuramedi.pdf
    • http://lamee-dark-version3-de.devsite-1.com/uploads/1/3/0/7/130776268/130776268.html#highlights+of+arbitration+and+conciliation+act+2019
    • http://poetmotorcycles.com/uploads/1/3/0/4/130478868/xesizup-wuxumaj-ritijatoxaxi-xijez

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000035bf.bin
a0e120498086b561437f12efb380318270011d7266812ab1d2fe07d6fd3e791f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x35BF 7716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.