Malicious PDF — malware analysis report

Static analysis result for SHA-256 388a0d881c544b1e…

MALICIOUS

PDF

37.6 KB Authoring application: GIMP
MD5: ab5c1241052febffbd66d2f25cc85aab SHA-1: e2a7502c0d4435944c36fbc894f68f9d092bd7ba SHA-256: 388a0d881c544b1e34fa387c7977adf9605eaf913044e7ca0ad73d5bfef65efb
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file was flagged by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a machine learning classifier gave a high confidence score for maliciousness. The primary heuristic firing indicates a large number of external links, suggesting a link farm for SEO manipulation or to distribute further malware. The embedded URLs, such as http://prikol.tv/uploads/2020/01/27/7533796.pdf, are likely part of this malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://prikol.tv/uploads/2020/01/27/7533796.pdf
    • https://rabezajamojit.weebly.com/uploads/1/3/0/2/130287242/010efaa.pdf
    • http://xaraf.nedvigimost-mo.ru/uploads/2020/01/28/8d38cb.pdf
    • http://deardoc.org/uploads/1/3/0/6/130620542/3228405.pdf
    • http://holdenshouseco.com/uploads/1/3/0/2/130287289/diradujefeg.pdf
    • https://zopidudav.weebly.com/uploads/1/3/0/5/130590778/846657.pdf
    • http://rirugeru.saintrussia-rp.ru/uploads/2020/01/29/8094554.pdf
    • http://donnamalonescience.com/uploads/1/3/0/5/130543453/6447066.pdf
    • http://easternfclass.ca/uploads/1/3/0/5/130542937/waxeboder.pdf
    • https://lofaturigu.weebly.com/uploads/1/3/0/2/130271132/tajase.pdf
    • http://wesimul.windows10keys.net/uploads/2020/01/29/guminakoni-livakikavoga.pdf
    • https://potutifet.weebly.com/uploads/1/3/0/4/130490488/rojagowi-gugesos-pigibokuwej-muvakevikujazis.pdf
    • http://406northvbclub.com/uploads/1/3/0/2/130289172/pimodek.pdf
    • http://tatismoving.ca/uploads/1/3/0/4/130435602/4971032.pdf
    • http://onlineedu.ru/uploads/2020/01/28/fofusam.pdf
    • https://xofupuwulekugam.weebly.com/uploads/1/3/0/4/130488779/lipologu-xepikagosusepen-salotato-xexabuwuwekes.pdf
    • http://artfromlondonmarkets.com/uploads/1/3/0/2/130287914/mekuditifev.pdf
    • https://donudunuwi.weebly.com/uploads/1/3/0/4/130435518/3707734.pdf
    • http://tozegopa.express36.ru/uploads/2020/01/27/3933789.pdf
    • http://gorlobolit.ru/uploads/2020/01/27/3912197.pdf
    • http://portal-doempreendedordigital.com/uploads/2020/01/28/79d6c.pdf
    • http://adambagleyillustration.com/uploads/1/3/0/6/130604981/zebese.pdf
    • http://goodbless.us/uploads/1/3/0/6/130621856/giladame.pdf
    • http://nakuwuda.dsmodes.com/uploads/2020/01/28/d2a2c040eb8e22a.pdf
    • http://mustage547.weebly.com/uploads/1/3/0/6/130620568/130620568.html#automate+excel+reports+using+r
    • http://nakuwuda.dsmodes.com/upload

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000185d.bin
afe427d0ded5f7ddf503070f6b465e39632b16af9325cf5cc28cc64132dd0ac0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x185D 8032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.