Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e9b05dfdfc2f4c0…

MALICIOUS

PDF

86.1 KB Authoring application: Mobipocket Creator
MD5: 201a204003b73d4600e593e94dc02e67 SHA-1: ca31e9f478cb6790023955195595dc92a3dcf464 SHA-256: 1e9b05dfdfc2f4c077bb1828834ccbca720573112195b7ade1a710ed2c6b212a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The critical heuristic 'PDF_SEO_LINK_FARM' indicates the presence of 31 external PDF links, with the primary domain being 'mymvmtpods.com'. This suggests the document's purpose is to act as a lure, directing users to a network of other malicious PDF files, likely for phishing or malware distribution. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9254

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mymvmtpods.com/uploads/1/3/0/5/130550729/fivapikatenu.pdf
    • http://spirituallyyou.life/uploads/1/3/0/5/130550997/nawasibub_lemukopus_golusereguzozuj_wazesijuji.pdf
    • http://mgtowtv.com/uploads/1/3/0/6/130639017/07de5bf1e81f.pdf
    • http://mu-danca.com/uploads/1/3/0/2/130288523/1721180.pdf
    • http://dsy.allstars.org/uploads/1/3/0/6/130604250/3975113.pdf
    • http://weedeaterridinglawnmower.net/uploads/1/3/0/5/130588931/lujivekupome_rojajo_dajadesasa_buniwe.pdf
    • http://ashonfood.com/uploads/1/3/0/6/130604552/womin_wulefegev_jefedegi_jemosozazebav.pdf
    • http://andrewcarlosarchitect.com/uploads/1/3/0/5/130590356/nukenutiduraxan.pdf
    • http://cybertrainingpro.com/uploads/1/3/0/7/130775704/gekavakutexe.pdf
    • http://trustedcannabiscfo.com/uploads/1/3/0/2/130270763/8472171.pdf
    • http://aka108.com/uploads/1/3/0/7/130740522/bisajipulifuka.pdf
    • http://gcseclub.com/uploads/1/3/0/6/130622009/nuzodi.pdf
    • http://masonicformation.com/uploads/1/3/0/2/130289581/dawazulem-zijanejoget-tawexazo-zapom.pdf
    • http://dealershowing.com/uploads/1/3/0/4/130488987/bebefukota.pdf
    • http://www.lawson-kilauea.com/uploads/1/3/0/4/130483679/vevorofonobemuwu.pdf
    • http://www.md12658917.com/uploads/1/3/0/8/130813979/c603129a2d.pdf
    • http://culturallyresponsivesustainedteaching.com/uploads/1/3/0/6/130620769/fegujoteg.pdf
    • http://tecnialuminios.com/uploads/1/3/0/7/130776886/3264e955e5cd.pdf
    • http://cadencehealth.co.uk/uploads/1/3/0/7/130776218/domaxujigixujir.pdf
    • http://solutionfocusedtherapys.org/uploads/1/3/0/7/130776023/desud.pdf
    • http://nyforceacademy.com/uploads/1/3/0/6/130639092/xoguzimikagezunojeka.pdf
    • http://youarebow.com/uploads/1/3/0/4/130478106/7296147.pdf
    • http://makrworld.com/uploads/1/3/0/2/130289620/xonojajexuto.pdf
    • http://www.fotostudiolw.com/uploads/1/3/0/7/130776295/putuwu.pdf
    • http://74-123-72-107.mgwnet.com/uploads/1/3/0/6/130604281/130604281.html#apache+open+office+applications

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a9.bin
ae6c1cb82df5c50e2aa4bff98a0528789f20d6788fc7e6f934a652ee3dc3fb5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A9 11776 bytes
font_01_sfnt_off00008b64.bin
57ab9563b93709fdd7a716e21cede2f27f3b6b500259d68a041fdcb0de1a569d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B64 6336 bytes
font_02_sfnt_off00009f3e.bin
bbd465158f88620f6b89bbc14fd4053a393fda34b464cf5d9625b9580ee6f51f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F3E 10240 bytes
font_03_sfnt_off0000b4be.bin
b1118302c5517eb61a6a239cbb0c0398f36a596cc95e76ebefef7294164c1510		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB4BE 7316 bytes
font_04_sfnt_off0000c70d.bin
a47959a8a0c44ddf6b8e998b6dd727bd4d99d6980137c168d359ab97f64ba13a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC70D 5032 bytes
font_05_sfnt_off0000d5bc.bin
750c92fa1db5810c6de6b1040e9c0837d38486580b44de1cde3f2eb8b8040d63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD5BC 6664 bytes
font_06_sfnt_off0000e682.bin
4c93801c4768b9cf34ec960e4f85d683fdbe353adcc5a9e70f9f8b41c5e92470		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE682 3508 bytes
font_07_sfnt_off0000f24e.bin
a698bf74a6b91010e90e2891ccde8bbe917d6cb64c35f07d6b7285511bd4a274		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF24E 16860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.