Malicious PDF — malware analysis report

Static analysis result for SHA-256 39cc659d2b4a9949…

MALICIOUS

PDF

38.6 KB Authoring application: Karbon
MD5: 1f52100f89e779971421e58f8465a20c SHA-1: a2c6bffa5a07a7839b3794c898507ab33aad5242 SHA-256: 39cc659d2b4a9949ba0e1318e9cbc749a00ed70a381ee28c9bf589fbfb5693fd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded URLs pointing to other PDF documents, a technique often used for SEO spam or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The primary attack pattern observed is the creation of a link farm within the PDF, likely to manipulate search engine results or to serve as a distribution point for other malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rosentalinvestment.com/uploads/1/3/0/5/130590532/8198182.pdf
    • http://molly-boone-wed.com/uploads/1/3/0/5/130551303/xolomuredunavas.pdf
    • http://bettingcheatsheet.com/uploads/1/3/0/3/130379523/romepipa.pdf
    • http://dariguve.monplezir.su/uploads/2020/01/27/4534225.pdf
    • http://emmabenic.com/uploads/1/3/0/5/130588527/zuriraregewi.pdf
    • http://krokus-avto.ru/uploads/2020/01/29/3792021.pdf
    • http://wanderlust-girl.com/uploads/1/3/0/5/130588620/bomiti.pdf
    • http://vedozowuxu.iraway.com/uploads/2020/01/27/gerubipaputuzug-simukaviv-rokatenin.pdf
    • http://mymountainstories.com/uploads/1/3/0/6/130620846/7dcea583f.pdf
    • http://difawir.copyrightcontact-100006175234952.com/uploads/2020/01/29/342484.pdf
    • http://myhealinghands.org.uk/uploads/1/3/0/3/130379431/2504895.pdf
    • https://towiviveva.weebly.com/uploads/1/3/0/5/130545096/muzajulisaloxatomo.pdf
    • http://iweargreatness.com/uploads/1/3/0/2/130291438/130291438.html#blank+circle+template+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012f9.bin
88448076c5b47228a98bf41cad92504ad715a57663b5ed89f8c3a223531d7239		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F9 7972 bytes
font_01_sfnt_off00005b86.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B86 2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.