Malicious PDF — malware analysis report

Static analysis result for SHA-256 2fc2e17b94855f91…

MALICIOUS

PDF

48.8 KB Authoring application: Solid Converter PDF
MD5: e665745b6d699a94ab72b24cc294f9fc SHA-1: fbd9ad5e586cc6df3e213770953f34df681d29d6 SHA-256: 2fc2e17b94855f91934899fca4e2f1a758a1a9f14f543cdccf7f39d014b64d30
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files, a technique commonly used for SEO poisoning or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The embedded URLs likely lead to phishing pages or further malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://zealrefund.com/uploads/1/3/0/5/130545985/4e07e40.pdf
    • http://innovatorsunion.com/uploads/1/3/0/5/130588575/dupinuvika_nefisig_dizeber_wisanob.pdf
    • http://redcarpetmontage.com/uploads/1/3/0/5/130539350/6d649b6f23ff.pdf
    • http://antconsultationrooms.com/uploads/1/3/0/2/130288399/715f0b7.pdf
    • http://drsheridanpsychology.com.au/uploads/1/3/0/5/130551876/f49498ead.pdf
    • http://denvermetroprotocols.com/uploads/1/3/0/6/130621527/kefezun-vebivafa.pdf
    • http://nannymoscow.ru/uploads/1/3/0/7/130775252/mopavuv.pdf
    • http://www.folicureinc.com/uploads/1/3/0/5/130588349/manegegisufelaf_nefolijetok_nuvunur_sarevokaga.pdf
    • http://agbumdsalumni.org/uploads/1/3/0/8/130874544/38049cdc30.pdf
    • http://longdistancevoter.net/uploads/1/3/0/6/130639131/muwovam_sizamug_defifojugiva.pdf
    • http://mymlmbiz.com/uploads/1/3/0/8/130814085/sufupilil_pujidozenuwaz.pdf
    • http://surggripper.com/uploads/1/3/0/4/130489763/dobedufibum.pdf
    • http://talesfromsixthgrade.com/uploads/1/3/0/4/130435748/905d3.pdf
    • http://solutioncities.org/uploads/1/3/0/7/130775635/sadegafilen.pdf
    • http://cacrosuc.com/uploads/1/3/0/5/130588899/wovak.pdf
    • http://twincitysanta.com/uploads/1/3/0/2/130271171/7229958.pdf
    • http://metlifeunpaidpensions.com/uploads/1/3/0/6/130639453/tutolaxaluwosasire.pdf
    • http://www.bistorm.dadgifts.us/uploads/1/3/0/5/130590310/9489662.pdf
    • http://negativeopus.net/uploads/1/3/0/7/130738566/9705b7fe6bc683.pdf
    • http://sunscar.com/uploads/1/3/0/6/130603965/fddaa1f5737.pdf
    • http://encore00032.voyagerwebsites.com/uploads/1/3/0/5/130541763/130541763.html#phonics+center+activities+for+kindergarten

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005256.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5256 1708 bytes
font_01_sfnt_off00005d93.bin
2baa4eedced1a668d6cc2e51a1f3fc43e0a8e335855bb64a3fcbd9458d6f28cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D93 8616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.