Malicious PDF — malware analysis report

Static analysis result for SHA-256 2e3be35a0d26e287…

MALICIOUS

PDF

36.5 KB Authoring application: Nitro PDF
MD5: 0cb18f2779a0f87509114cc51499ce76 SHA-1: 205b5dfb0b061ddf11b3bae44718503579ba9a69 SHA-256: 2e3be35a0d26e2875b17031b570eabc37d0a960009f8fba15d308fa174bb4922
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains a large number of external links to other PDF files, suggesting a link farm or redirection mechanism. The 'SE_PASSWORD_ARCHIVE_LURE' heuristic indicates the document likely provides instructions to decrypt a password-protected archive, a common tactic to evade initial security scans. The ClamAV detection 'Pdf.Dropper.Agent-7728552-0' further confirms its malicious nature as a dropper. The embedded URLs are likely part of this distribution chain.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7728552-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7728552-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mobileboutiqueadriannemerkling.com/uploads/1/3/0/3/130323103/6675375.pdf
    • http://ndhumanities.com/uploads/1/3/0/5/130588790/463276.pdf
    • http://best-walker.net/uploads/1/3/0/4/130479435/9a419d5f6a53495.pdf
    • http://randakksdevelopment.com/uploads/1/3/0/6/130621290/valafulika-jisulod-vigegonanir-xigilulekomi.pdf
    • http://berkessa.com/uploads/1/3/0/6/130604354/2a309815aeefc7.pdf
    • http://vivienne-egan.com/uploads/1/3/0/6/130604558/e4d1e.pdf
    • http://andykoting.com/uploads/1/3/0/7/130738755/2053943.pdf
    • http://reconstructingvalue.com/uploads/1/3/0/6/130620283/0f1de2ee416347.pdf
    • http://geminitrix.com/uploads/1/3/0/5/130588830/9745999.pdf
    • http://rmtdesigngroup.com/uploads/1/3/0/6/130639146/zarexupasu-ramezi.pdf
    • http://mrsbhatt.com/uploads/1/3/0/4/130483454/1292e5bb95e5.pdf
    • http://willandjessica.com/uploads/1/3/0/4/130483331/948d46f01.pdf
    • http://mta-sts.mx.rachaeltilly.com/uploads/1/3/0/5/130550848/leturod-bemewekubikik-tasevafene-nikit.pdf
    • http://hisplayground.net/uploads/1/3/0/8/130874289/bamote.pdf
    • http://griffithfeeney.com/uploads/1/3/0/5/130588345/9cd647c8a795.pdf
    • http://981themarcoislandfm.com/uploads/1/3/0/3/130313390/sifexujesatov.pdf
    • http://805.bpmtc.com/uploads/1/3/0/6/130639792/130639792.html#adobe+illustrator+cs6+download+windows+7

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003187.bin
5a190ec7172b3c543efd1e21470f081d2382b8080337d92fc27619d3aac03b33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3187 8280 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.