Malicious PDF — malware analysis report

Static analysis result for SHA-256 213fe949d55f8572…

MALICIOUS

PDF

40.8 KB Authoring application: SWFTools
MD5: 0792492c74ff45fa4559d635abdd168a SHA-1: ebb8f9965ab929f52a10ebd72e55c88b377e8304 SHA-256: 213fe949d55f85728d26e5df9cf18c6a5c52a321fffd37f0a4918dec5fb234b7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to other PDF files hosted on various domains, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as phishing and potentially traffic redirection. The embedded URLs are the primary IOCs, suggesting a campaign focused on driving traffic to these external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://microsoftpost.net/uploads/1/3/0/4/130435725/wewif-tizawil-fukodenudiluren-xigegidafejav.pdf
    • http://minisheepadoodlepuppies.com/uploads/1/3/0/6/130621619/4106343.pdf
    • http://bavarian-opera-academy.com/uploads/1/3/0/5/130551331/8241327.pdf
    • http://albanychase.com/uploads/1/3/0/8/130814731/1c2925.pdf
    • http://stargazingangel.com/uploads/1/3/0/6/130621208/kiruvezopubato.pdf
    • http://webmail.seventhheavengoldendoodles.com/uploads/1/3/0/2/130289380/93fb9caf7426ed.pdf
    • http://nice-body.net/uploads/1/3/0/5/130589389/fb272338.pdf
    • http://www.joeybruzzese.com/uploads/1/3/0/7/130775274/farevabiweba.pdf
    • http://modish716.com/uploads/1/3/0/6/130621583/1648384.pdf
    • http://mifitnesslife.com.au/uploads/1/3/0/8/130813804/rofitazobite-xodabazudabegu.pdf
    • http://waiapukidshomebased.com/uploads/1/3/0/6/130621995/viwivesenixez.pdf
    • http://milagrosfineart.com/uploads/1/3/0/6/130621441/5858137.pdf
    • http://mhlarue.com/uploads/1/3/0/3/130313090/wonufafapika-walot-viravemup-sibafogus.pdf
    • http://wormshare.com/uploads/1/3/0/7/130739233/8402182.pdf
    • http://cybergrx.net/uploads/1/3/0/5/130543653/5172808.pdf
    • http://unitedislamiccenter.com/uploads/1/3/0/2/130272988/seberamapuva-debosemadodom-geduwopojame-kosir.pdf
    • http://uservite.com/uploads/1/3/0/5/130588501/gixebawamamosew.pdf
    • http://holypost.net/uploads/1/3/0/6/130604757/visivari_sugozikujolunob_pokisiniwibuzaw.pdf
    • http://www.teenengineer.hamabe-dojo.com/uploads/1/3/0/2/130272930/005d05055f628.pdf
    • http://kinsley-walker-p-1.rominastiebenphotography.com/uploads/1/3/0/2/130271211/130271211.html#apache+spark+java+sample
    • http://cybergrx.net/uploads/1/3/0/5/130543653/5

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003012.bin
985cbd9ba5b629f1b749d04d852c0eecb5d8ad374186a1044a60da9476420dc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3012 2788 bytes
font_01_sfnt_off00003cd7.bin
7aed0e91085751e6e00cc5c9eee8ef6994737258ba4b6775017dc52e2325fce5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CD7 9052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.