Malicious PDF — malware analysis report

Static analysis result for SHA-256 2fe7dff503237095…

MALICIOUS

PDF

34.3 KB Authoring application: pstoedit First seen: 2021-02-09
MD5: 2e1ad13787ae09a682453837b2b5c92d SHA-1: c429bb7cd22cdf4bfa4e24aaede3c4b0d6bb1131 SHA-256: 2fe7dff50323709510c87e6a356a44f8210e72071cdfb0cfa1b661b27b94bed7
192 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://themoonandmeapothecary.com/uploads/1/3/0/4/130491356/bedc52b87a.pdf In PDF document text
    • http://rockthecatspa.net/uploads/1/3/0/5/130551184/b8402c12eafe83d.pdfIn PDF document text
    • http://pnevmolux.su/uploads/2020/01/28/8110944.pdfIn PDF document text
    • https://subazekuru.weebly.com/uploads/1/3/0/4/130476148/6983672.pdfIn PDF document text
    • https://firesugufiz.weebly.com/uploads/1/3/0/2/130287503/4950948.pdfIn PDF document text
    • http://bimilavap.top-indoor.ru/uploads/2020/01/28/betukajukebet.pdfIn PDF document text
    • http://lorenamartinezhomes.com/uploads/1/3/0/4/130476538/benebewilanu.pdfIn PDF document text
    • http://wellsonlineserviceverifications.biz/uploads/2020/01/27/mazed-buvegofimatefaz.pdfIn PDF document text
    • http://xitejuwi.remont-turbin-orenburg.ru/uploads/2020/01/27/5723768.pdfIn PDF document text
    • http://altaigrand.com/uploads/2020/01/28/tesoje-jisefi.pdfIn PDF document text
    • https://sabewezavidi.weebly.com/uploads/1/3/0/5/130550832/kikubedejuguwixi.pdfIn PDF document text
    • http://theavamari.com/uploads/1/3/0/6/130621481/130621481.html#tamil+dubbed+horror+movies+2019++isaidubIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001310.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1310 8424 bytes
SHA-256: 42019995a23d01208eff4ab0317138eac152f249825ec12d1114d192be341864

Open this report in the interactive analyzer, or submit your own file for analysis.