Malicious PDF — malware analysis report

Static analysis result for SHA-256 25d457baf2e27e33…

MALICIOUS

PDF

37.0 KB Authoring application: pdf-parser
MD5: f39f512739f3f467b48191079dda50c3 SHA-1: aefa6586015d3516fc30f15b20f00d22eecf7a2f SHA-256: 25d457baf2e27e33b927b8b7af859aed2bc825f34c8c4dc5d170b4385acbbf2d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This technique is often used for SEO manipulation or to distribute malicious payloads. The ClamAV detection and ML classifier strongly indicate malicious intent, consistent with a phishing or content distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lltraininginstitute.net/uploads/1/3/0/7/130738963/zazeridekezovubon.pdf
    • http://www.southparkwholesale.net/uploads/1/3/0/6/130639708/f9c72828adbba.pdf
    • http://lafayetteschoolrestoration.com/uploads/1/3/0/6/130639877/busutitujinevutenape.pdf
    • http://www.yarnislove.com/uploads/1/3/0/6/130639365/rijugudugeje.pdf
    • http://ryanimmler.com/uploads/1/3/0/7/130738871/sarozepegepo.pdf
    • http://worldofmuseumships.com/uploads/1/3/0/5/130589123/b9a14e4aca0ac6.pdf
    • http://www.bicomessentialhealth.com.au/uploads/1/3/0/4/130436096/pinezolovofemuvuti.pdf
    • http://travelerswineclub.com/uploads/1/3/0/5/130588710/1275431.pdf
    • http://solchargeaus.com/uploads/1/3/0/7/130775025/cbc9f7162621b5.pdf
    • http://www.wlnhelena.com/uploads/1/3/0/4/130478244/lavuze.pdf
    • http://lend-life.com/uploads/1/3/0/6/130639812/nadirugebulatub.pdf
    • http://nolaproauto.com/uploads/1/3/0/2/130272554/wotuvapuj-golelet-jakixobo-kuxolog.pdf
    • http://moscowshamrocks.com/uploads/1/3/0/4/130436152/jafofew_mikipogobagur_miwokoxufiro.pdf
    • http://samsmaterialcompany.biz/uploads/1/3/0/2/130273589/a031d75ef2.pdf
    • http://mail.atelierstlouis.com/uploads/1/3/0/4/130483390/sigisofukalopew.pdf
    • http://www.bruxitdevice.com/uploads/1/3/0/9/130969689/peniwegunafoxezo.pdf
    • http://shearwaterwarmbloods.ca/uploads/1/3/0/3/130323727/5436750.pdf
    • http://pcrowd.danafarberdev.org/uploads/1/3/0/7/130739876/xofabuguv-zuvotikaz-letawixufev.pdf
    • http://akermanfinancialservices.com/uploads/1/3/0/2/130291433/efdc67cb1ed8e6.pdf
    • http://74-123-73-136.mgwnet.com/uploads/1/3/0/7/130739806/130739806.html#bursitis+with+impingement+treatment
    • http://lend-life.com/uploads/1/3/0/6/130639812/nadirugebulat

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000032f6.bin
8a2471b6740e117fe3c5ea3eb7170cb508d8a391ac8412bec9e5c993373084b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x32F6 7460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.