Malicious PDF — malware analysis report

Static analysis result for SHA-256 3110978b34ae5d7d…

MALICIOUS

PDF

35.5 KB Authoring application: QPDF
MD5: a21b170863e209d4dce9f4a7c0fc798a SHA-1: 056edfb9d7f0e5fe0c341dbc76915bc71fe76bc9 SHA-256: 3110978b34ae5d7d1a7f9c8ce22cd5a030a474bbda20dea73dbdab0aef5b2c2f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF documents, a technique often used for phishing or distributing further malware. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the 'PDF_SEO_LINK_FARM' heuristic strongly indicate a malicious intent to redirect users to potentially harmful content. The ML classifier also flagged this file with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tatepazu.funblog.online/uploads/2020/01/27/solifelafulu_koleg_joxagevi.pdf
    • http://natashacorriephotography.com/uploads/1/3/0/6/130603838/vakew.pdf
    • http://muizen-bestrijding.com/uploads/1/3/0/2/130289543/89c6247.pdf
    • http://susanmastalsfoundation.org/uploads/1/3/0/5/130545745/lunurofumula.pdf
    • http://robinhoodinabox.com/uploads/1/3/0/5/130550750/8c043594aa58.pdf
    • https://fademudom.weebly.com/uploads/1/3/0/6/130604902/81a04.pdf
    • http://nileinstitute.org/uploads/1/3/0/5/130542729/1786773.pdf
    • http://dekalbdrc.weebly.com/uploads/1/3/0/6/130639226/nutavaged.pdf
    • http://bslartquilts.com/uploads/1/3/0/5/130588811/gopuwopikidutefa.pdf
    • http://datservo.tech/uploads/2020/01/27/e6d8adfea29d153.pdf
    • http://foxvalleychurch.me/uploads/1/3/0/4/130476372/faf5ae8.pdf
    • http://temadecor.ru/uploads/2020/01/28/nofofokusopezap.pdf
    • http://scouttroop79.com/uploads/1/3/0/2/130289352/1241b1ca74d.pdf
    • http://crafted-espresso.com/uploads/1/3/0/5/130539414/6df7ba.pdf
    • http://polun.audiostart43.icu/uploads/2020/01/27/toxowogaxopuxuj.pdf
    • http://podollangpis.devsite-1.com/uploads/1/3/0/4/130483989/130483989.html#identifying+indirect+characterization+worksheet

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013f2.bin
03b66d1977415d490ccca8686e7616fad17e51e864898fac90f528d46f5e72cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F2 7576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.