Malicious PDF — malware analysis report

Static analysis result for SHA-256 351ce4e7ac4ea95b…

MALICIOUS

PDF

42.7 KB Authoring application: QPDF
MD5: bb9ad9d647059ea7be45c96c91b9471d SHA-1: 814124b08f0ea4b7df55aede8baaaafcd3cb8fd6 SHA-256: 351ce4e7ac4ea95bfc9989fbf6713ac172247724815a56930402a19ee554d943
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified as a link farm. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically phishing. The embedded URLs likely lead to further malicious content or phishing pages. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://truevaluelawncare.com/uploads/1/3/0/3/130323518/4345953.pdf
    • http://puzzlesforprogress.com/uploads/1/3/0/4/130476632/bbf6402b59187f.pdf
    • http://survivingmytwentysomethings.com/uploads/1/3/0/2/130291827/pofewuseni-bosekunom.pdf
    • http://clarksontherapy.com/uploads/1/3/0/6/130621110/dutolulot.pdf
    • http://pilatesandyogawithsharon.com/uploads/1/3/0/5/130588622/519180.pdf
    • http://bellinghamweekly.org/uploads/1/3/0/6/130639821/badonogoxaponam.pdf
    • http://meat-taffy.org/uploads/1/3/0/7/130739212/dedokapepano-libasatife-zebatam.pdf
    • http://bourbonhome.com/uploads/1/3/0/5/130590673/2608697.pdf
    • http://hodgy.me/uploads/1/3/0/7/130739023/5581132.pdf
    • http://moosemanormi.com/uploads/1/3/0/4/130435956/1572756.pdf
    • http://ewk8b8.salon225.com/uploads/1/3/0/7/130775633/130775633.html#one+night+ultimate+werewolf+rules+minion

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005159.bin
a1470f0400681b8bbe3526728d82b84d0c9c4bee35e2fc57f233ee07be6c27fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5159 8040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.