Malicious PDF — malware analysis report

Static analysis result for SHA-256 2646cca96929c2ab…

MALICIOUS

PDF

59.0 KB Authoring application: pstoedit
MD5: eb503d8dab461a631abbf5f4730cc404 SHA-1: 08e33a8c486a607db7b037860696fdc7cff4dfed SHA-256: 2646cca96929c2ab1840b7ea90f5651069fdc0dd463cdcde553925944c3ad937
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, with the primary one pointing to express-prachka.ru, flagged by heuristics as a potential SEO link farm for malicious purposes. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as phishing. The document body, though partially corrupted, mentions 'examination form correction' and 'press release', suggesting a lure to trick users into clicking the embedded malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://express-prachka.ru/uploads/2020/01/28/tudipo.pdf
    • https://zopalaloxajuxu.weebly.com/uploads/1/3/0/6/130604259/8d2ee357.pdf
    • http://aairresearch.com/uploads/1/3/0/4/130483761/1520609.pdf
    • http://lemoniteboutique.com/uploads/1/3/0/3/130324278/zasonone.pdf
    • http://natesessentialtraining.com/uploads/1/3/0/4/130491599/mixakuz-xogidijal.pdf
    • http://gasu.ach-dziewczyny.online/uploads/2020/01/29/65fc759a7baf0.pdf
    • http://sgwilimediagroup.com/uploads/1/3/0/3/130312914/lolidujas.pdf
    • http://it-consultant.online/uploads/2020/01/28/banalabujoporo-jivukogarenexo-bezaduno.pdf
    • http://rob.mnekak.pro/uploads/2020/01/28/sexatonimabup.pdf
    • http://kcbevco.com/uploads/1/3/0/5/130588803/ferizagupev.pdf
    • http://msathletics.weebly.com/uploads/1/3/0/2/130270937/waputajisu_sevur_tudojifuxon_rosamevumavu.pdf
    • http://mywinningkidsseftworth.com/uploads/1/3/0/5/130545597/sixusavexejomig.pdf
    • http://ruxizhang.com/uploads/1/3/0/3/130324207/9551545.pdf
    • http://gaxukagabe.psk-es.ru/uploads/2020/01/27/41bbb49de.pdf
    • http://nysmaplepartridge.com/uploads/1/3/0/6/130603673/nigijajiwobok.pdf
    • http://5pointauto.com/uploads/1/3/0/6/130621619/130621619.html#ccs+university+examination+form+correction

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001492.bin
1bac60f4dc80d3572f0a2f9735c19cc34b449b689f6a08f09060cda1ff5b9a77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1492 8660 bytes
font_01_sfnt_off00007c57.bin
598b436daaf3d122157f8aae4d95cb5f98998d7541b527c84c982bd0659a624f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C57 16888 bytes
font_02_sfnt_off00009523.bin
3d9dec35c45cbbe5dc4b40a727faaff45212732472c30aa47373f1aaad98f3ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9523 12136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.