Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c9508b46941ecee…

MALICIOUS

PDF

37.4 KB Authoring application: ImageMagick
MD5: f4899ac904748677e249bf0e0615f60b SHA-1: 1d98b778b72a454f7173abba927837ca10e964c5 SHA-256: 1c9508b46941ecee26cd0510bf57aca3af70a956f84157697ef076d883c89e96
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs likely serve to redirect users to malicious sites or download further payloads, a common tactic for phishing and SEO spam campaigns.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://athome-atsea.com/uploads/1/3/0/4/130477039/b0836f2208f.pdf
    • http://tedmakes.com/uploads/1/3/0/6/130604580/b466f0b1.pdf
    • http://www.fastrooster.com/uploads/1/3/0/5/130544067/lugifubumid.pdf
    • http://hazardouscre8ivity.com/uploads/1/3/0/7/130740056/vimin-jelisegova.pdf
    • http://m311.net/uploads/1/3/0/6/130639635/8282749.pdf
    • http://movingcompanyokc.com/uploads/1/3/0/6/130604165/piwewebi.pdf
    • http://michaelromig.net/uploads/1/3/0/6/130604009/pavudoxa_lijixato_rozojubobi.pdf
    • http://bayook.com/uploads/1/3/0/2/130271179/bumegogus.pdf
    • http://cvolierborgerhout.com/uploads/1/3/0/5/130539227/zegetazujaf-junujiwunififu.pdf
    • http://michelhb.com/uploads/1/3/0/2/130291809/7625655.pdf
    • http://midster.net/uploads/1/3/0/2/130287930/jepadako-kodok.pdf
    • http://youngatheartdesigns.com/uploads/1/3/0/3/130313463/68a29be92.pdf
    • http://www.kira-girl.com/uploads/1/3/0/2/130289748/gonosokuzadux_ginur_kadup_baxitoziv.pdf
    • http://msdixonart.com/uploads/1/3/0/6/130605506/pejim.pdf
    • http://propellersound.ca/uploads/1/3/0/5/130588210/temije.pdf
    • http://sheaandaloe.com/uploads/1/3/0/2/130274091/befukokaju.pdf
    • http://completebydesigncbd.net/uploads/1/3/0/6/130620372/2713195.pdf
    • http://www.drugmarketcommentary.com/uploads/1/3/0/2/130270742/3691035.pdf
    • http://wehry.com/uploads/1/3/0/8/130874524/tusogakitikifiran.pdf
    • http://rjhomecontractor.com/uploads/1/3/0/7/130775985/387b8f145ec1ef7.pdf
    • http://krishnadasa.com/uploads/1/3/0/7/130775392/duxud-kodananenovese.pdf
    • http://pqm.brdge.org/uploads/1/3/0/6/130639966/130639966.html#looking+backward+thinking+forward+occupational+therapy+and+autism+spectrum+disorders

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003049.bin
bded8eea570ac408badaba3ff0536e637a1992e8de816f51237141c0f3896aef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3049 8372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.