Malicious PDF — malware analysis report

Static analysis result for SHA-256 39b10e7cbd5e4187…

MALICIOUS

PDF

40.3 KB Authoring application: Adobe PDF Library 9.0
MD5: d9234ba64ca5f83b2314b770dc794d05 SHA-1: da46a5ebe9b7b30c0df9a38bb54ce5bf82c646c2 SHA-256: 39b10e7cbd5e41876d9c80aafc11afec4d4a11f460a9a80964712f0257ef9de4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs, as indicated by the PDF_SEO_LINK_FARM heuristic. These URLs likely lead to malicious content or further phishing attempts. The ML classifier and ClamAV detection strongly support its malicious nature. The document body, though partially corrupted, contains references to 'Adobe PDF Library' and 'Telkomsel access point android', suggesting a lure to trick users into downloading or interacting with the linked content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7892533-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7892533-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://beapreece.com/uploads/1/3/0/3/130379243/nafedijumi.pdf
    • http://challengefondo.org/uploads/1/3/0/5/130541803/4868873.pdf
    • http://redskinscheerleaderalumni.com/uploads/1/3/0/6/130621264/3ac060c94bd67e.pdf
    • http://mybarrieroflavish.com/uploads/1/3/0/6/130621148/9703995.pdf
    • http://buchanannutrition.com/uploads/1/3/0/6/130639814/5986668.pdf
    • http://artofhostingns.ca/uploads/1/3/0/7/130740073/6694649.pdf
    • http://beachhousemedia.us/uploads/1/3/0/5/130588282/pubifasawefimipenogu.pdf
    • http://tidaner.brandmentore.com/uploads/2020/01/28/b7742e563426.pdf
    • http://mohairregrowthsystem.com/uploads/1/3/0/3/130323455/8316517.pdf
    • http://blak-out-squad.com/uploads/1/3/0/2/130289570/3141547.pdf
    • http://foothillsbiblefellowship.com/uploads/1/3/0/4/130476389/130476389.html#telkomsel+access+point+android

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000128e.bin
8fbb5c049dc3121bf434ace963dec1d2d814f28509888008eb6f787375e6fa43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x128E 8636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.