Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d6355383356a4ee…

MALICIOUS

PDF

33.5 KB Authoring application: Poppler-utils
MD5: 0767b82ba5d9fd5e617bacc3badb2a70 SHA-1: 1fa511248e2f1a497f4f4e71e583017426ab521e SHA-256: 1d6355383356a4ee12077897b4257559f2848ce759909e8fda29416643511f6e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. ClamAV also detected this as Pdf.Dropper.Agent-7938943-0. The embedded document body text is heavily corrupted and does not provide further context on the specific lure, but the overall structure points to a malicious dropper or phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7938943-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7938943-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://globalhealthhighschool.org/uploads/1/3/0/6/130621960/mapesevimoxas.pdf
    • http://briantravisray.com/uploads/1/3/0/8/130813790/2efc19cda0db.pdf
    • http://www.anthonymangotta.com/uploads/1/3/0/4/130483728/kawevexoxike.pdf
    • http://silentlyfallen.org/uploads/1/3/0/4/130476440/5d14f7a3.pdf
    • http://muziekkapel.be/uploads/1/3/0/6/130605306/gafavaw-dazegazabif-mafedev.pdf
    • http://tingestudio.net/uploads/1/3/0/2/130272557/dejopev_muwevimiz.pdf
    • http://nataliesnutrition.ca/uploads/1/3/0/5/130547771/667b585a578.pdf
    • http://villaswoodsonbend.com/uploads/1/3/0/7/130776113/gowubetubevibe.pdf
    • http://usenvelopes.com/uploads/1/3/0/2/130270905/dujudozasuwijuzo.pdf
    • http://www.melslittlekitchen.com/uploads/1/3/0/5/130543772/9219448.pdf
    • http://www.boisescarpetcleaners.com/uploads/1/3/0/3/130379424/2b2facb22dbb1f.pdf
    • http://baanbab.com/uploads/1/3/0/6/130603673/wafudegofasu.pdf
    • http://webmail.eastcommltd.com/uploads/1/3/0/7/130776025/4572165.pdf
    • http://mylenderscott.com/uploads/1/3/0/4/130476469/modonipisapiza_bidupilava_fisewuwutewale_remokimuxikobij.pdf
    • http://www.elementsalonduncan.com/uploads/1/3/0/6/130621111/dafikenukomepil-piluwazudovi-xeliwarim.pdf
    • http://belindawabelo.com/uploads/1/3/0/5/130543757/lamakorebodasu-dusowimite-repogifaxuwupuf-zuduwofakijas.pdf
    • http://tribalethics.org/uploads/1/3/0/8/130874329/dosed.pdf
    • http://pickupfootball.net/uploads/1/3/0/6/130604009/abd630caa5b.pdf
    • http://nenzhengqiandeqipai.br3h.com/uploads/1/3/0/4/130483614/130483614.html#methotrexate+for+ectopic+pregnancy
    • http://nataliesnutrition.ca/u

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001cd2.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CD2 2864 bytes
font_01_sfnt_off00002892.bin
d3ca5a9d692fd919318881a2e1279fc66925f658521a3e74b93bedf288244977		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2892 6408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.