Malicious PDF — malware analysis report

Static analysis result for SHA-256 28be69fcee2e8231…

MALICIOUS

PDF

47.3 KB Authoring application: PDF Studio
MD5: e339da4eca6c52eb6ac62df2cdb93441 SHA-1: f1599f4c54b3c1a9993397905c053b808bbe139c SHA-256: 28be69fcee2e823104a88030cc988533e6119dced28274456f9a95a997ce87ad
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to external PDF files. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly suggest malicious intent. The document body itself is largely unreadable, but the presence of URLs within it reinforces the malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://livasixo.finni.ru/uploads/2020/01/28/4779700.pdf
    • http://cuffedbyjewels.com/uploads/1/3/0/6/130604027/risutolajow.pdf
    • http://monkeesconcerts.com/uploads/1/3/0/5/130590689/42642245eb.pdf
    • http://rateyouthsports.com/uploads/1/3/0/2/130272877/6809051.pdf
    • http://mymaplehillfarm.com/uploads/1/3/0/4/130476342/4eb27b2a5.pdf
    • http://drgnwear.club/uploads/1/3/0/5/130540049/1878939.pdf
    • https://zixapiwem.weebly.com/uploads/1/3/0/2/130272342/sajoj.pdf
    • http://mcmurrians.ca/uploads/1/3/0/5/130588443/tuxined_fodojukeg.pdf
    • http://bajavek.remont-turbin-orenburg.ru/uploads/2020/01/29/xidimupejalavo.pdf
    • http://siatyus.com/uploads/2020/01/28/vuweg_guzifevoxexor_wedagimitoxu.pdf
    • http://mywiguide.com/uploads/1/3/0/5/130588232/danaxu.pdf
    • http://defokud.spikedtearadio.com/uploads/2020/01/29/guxavetatu_redal_tofexusabid.pdf
    • http://kicon-academic.com/uploads/1/3/0/3/130379266/fapevagaxinulosonax.pdf
    • http://kazutewu.chinafication.com/uploads/2020/01/27/vazumufufixorex.pdf
    • http://tozoxev.coachesportivo.com/uploads/2020/01/28/eb4cfb0fe34586.pdf
    • http://robefexi.imawareness.ru/uploads/2020/01/27/97b94629a90b.pdf
    • http://adentapoland.com/uploads/1/3/0/4/130435635/4325972.pdf
    • http://sidimulot.0vk.info/uploads/2020/01/27/xazunixog.pdf
    • http://savokemi.dveri-goodwin43.ru/uploads/2020/01/27/papogosebuzu.pdf
    • http://skylinesjewellery.com/uploads/1/3/0/5/130588668/1587190.pdf
    • http://wemoxapuz.datingnearme.in/uploads/2020/01/28/misutiged.pdf
    • https://rodimebeveluki.weebly.com/uploads/1/3/0/3/130379475/36974904678.pdf
    • https://sosoxajexemixe.weebly.com/uploads/1/3/0/3/130323235/37906.pdf
    • http://dramallamaranch.com/uploads/1/3/0/3/130379412/130379412.html#video+app++for+android+phone

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000167c.bin
5909acb56016912eb1b397cffaa039fc98b60a29a70ed3625a4d58f7002ef0a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x167C 8292 bytes
font_01_sfnt_off000070c9.bin
5d7ebd720715cd86529581f1d40cc643f68465477bd430d4be5ff736bc95f798		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70C9 16268 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.