Malicious PDF — malware analysis report

Static analysis result for SHA-256 267ca3a80bd302a9…

MALICIOUS

PDF

41.4 KB Authoring application: Karbon
MD5: 1f91f894789613f956cc67c5ba142631 SHA-1: 80ad6a6a7407481152896ac73d169f59fd952931 SHA-256: 267ca3a80bd302a9fd3c95e157b41140a1ce9ac9f0779ff00ccdba9cabd77610
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links pointing to external PDF files, with the primary domain 'lijinimax.paypal-support-limitted.com' impersonating PayPal. This indicates a phishing attempt designed to redirect users to a malicious site. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing classification.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lijinimax.paypal-support-limitted.com/uploads/2020/01/28/2784570.pdf
    • http://allveteransmemorialpark.org/uploads/1/3/0/2/130273944/lorawopu_vikelovokedobub.pdf
    • http://kmdesignmake.com/uploads/1/3/0/6/130620976/vujezijigis.pdf
    • http://buxopiredo.conceptfashionfest.ru/uploads/2020/01/28/951fa.pdf
    • https://nawepaso.weebly.com/uploads/1/3/0/3/130313221/vuzijufewemasu.pdf
    • http://burnhampark.weebly.com/uploads/1/3/0/3/130323937/6503aa2.pdf
    • http://auntkates.com/uploads/1/3/0/6/130621734/fosap-mefatosufanamub-basipazosuti-xorojorejawurur.pdf
    • http://zatut.event-nsk.com/uploads/2020/01/28/b2d996.pdf
    • http://13conversations.org/uploads/1/3/0/6/130604307/beporanakonokepuko.pdf
    • http://sagowapowi.sk-evrodom.icu/uploads/2020/01/29/5297636.pdf
    • http://hesperianmusic.com/uploads/1/3/0/4/130477945/00ff7f406181ae.pdf
    • http://voirin-bourgault.com/uploads/1/3/0/4/130489572/1587943.pdf
    • http://gijev.dasdwqs.icu/uploads/2020/01/28/7f0ded0d8.pdf
    • http://zovufomu.cmb-contact.com/uploads/2020/01/27/xevazumubibape-vozali-nuxolara-mevikepewat.pdf
    • http://brunson-insurance.com/uploads/1/3/0/6/130604243/ced4a4.pdf
    • https://vosanajela.weebly.com/uploads/1/3/0/6/130604002/dexovexadoxe.pdf
    • http://daydreambakery.com/uploads/1/3/0/5/130590164/kugigulekijuxex_wemitekonijib_kefitimado.pdf
    • http://moretoexplore.co/uploads/1/3/0/5/130551558/1095695.pdf
    • http://lazekusak.s-ruben.com/uploads/2020/01/29/sajupefenuginojinidu.pdf
    • http://mofabej.101doggy.com/uploads/2020/01/28/wujatujufizusib.pdf
    • https://gawazupi.weebly.com/uploads/1/3/0/4/130488399/kebote-juguk.pdf
    • http://rangoro.pro/uploads/2020/01/27/nutasoditapox.pdf
    • http://michelledrumheller.com/uploads/1/3/0/6/130604509/7158678.pdf
    • http://mrsthurberhistorycom.com/uploads/1/3/0/5/130551124/130551124.html#bhavesh+joshi+full+hd
    • https://gawazupi.weebly.com/uploads/1/3/0/4/13048839

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001756.bin
6507e6725dc9321f4def73f3ee15baaf2eabfd5c8ef08e0b73ac40c56b157ab0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1756 8992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.