Malicious PDF — malware analysis report

Static analysis result for SHA-256 23a7959e79ee760c…

MALICIOUS

PDF

40.2 KB Authoring application: GIMP
MD5: cf1582a40589787aeb10cd0c2d927dc9 SHA-1: 0ef178283b3b5f7567f899911ab8d9228452c93d SHA-256: 23a7959e79ee760c3f67dbd277cc4738a2c13ab2ca43f80ec58f1573bc454632
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO poisoning or phishing campaigns. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs are the primary IOCs, suggesting a distribution mechanism for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mail.huddingedjurklinik.se/uploads/1/3/0/6/130639413/ac06935538f7.pdf
    • http://cmillns.com/uploads/1/3/0/6/130639351/fd21e7b7.pdf
    • http://rotoruayachting.club/uploads/1/3/0/5/130588803/bominidadef-xozililisa-manadutejuwil-gezelimugexazuf.pdf
    • http://nomadel.com/uploads/1/3/0/7/130740086/8231251.pdf
    • http://aoodri.com/uploads/1/3/0/6/130603814/8066505.pdf
    • http://asianart.studio/uploads/1/3/0/5/130544091/4750948.pdf
    • http://sentientearth.net/uploads/1/3/0/6/130604844/66ade3d74530c.pdf
    • http://alldiseasebeginsinthegut.com/uploads/1/3/0/7/130740533/5962569.pdf
    • http://lisastory.space/uploads/1/3/0/7/130740598/a8bbe7d571.pdf
    • http://ocmunc.com/uploads/1/3/0/5/130542829/mizizubumi_piwuji_vujinun_bonamato.pdf
    • http://agavepress.com/uploads/1/3/0/7/130739887/takewidoru.pdf
    • http://luiscampuzanoconsultores.com/uploads/1/3/0/5/130588613/tawij.pdf
    • http://ryanhuff.net/uploads/1/3/0/2/130287852/raboxoba-nugibivuf-gezanolav-subonat.pdf
    • http://mountaingatewaytraining.org/uploads/1/3/0/8/130814387/75f5e.pdf
    • http://hostmaster.georgegoesout.co.uk/uploads/1/3/0/4/130483629/abbafb9409.pdf
    • http://provocateurla.com/uploads/1/3/0/6/130621657/10032a22d3e21.pdf
    • http://millennialjapan.com/uploads/1/3/0/6/130605159/givubabe_romojuxulex_tijirewax_farebijelowu.pdf
    • http://rejashorta.com/uploads/1/3/0/2/130289063/a30a33.pdf
    • http://moobite.com/uploads/1/3/0/5/130539155/993085.pdf
    • http://tcp-tcit.net/uploads/1/3/0/7/130775565/6329d80fb6220.pdf
    • http://host200.carmichaelnl.com/uploads/1/3/0/7/130775386/130775386.html#manufacturing+consent+noam+chomsky+and+the+media+pdf
    • http://millennialjapan.c

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003cc3.bin
0c97959fe4e2c7a5cbf79761feea615703893d2c8ba82e2fe000086f31260f86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3CC3 8184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.