Malicious PDF — malware analysis report

Static analysis result for SHA-256 3d55e398571b291a…

MALICIOUS

PDF

75.4 KB Authoring application: Solid Converter PDF
MD5: f2ab802dddf9ef09b032892dccf53c67 SHA-1: 3b92af355fdfcd3378f295b0d635aca832b60e8c SHA-256: 3d55e398571b291a613f534833fa06dbcc51d9e3c7069472d26d25e7ff5c1330
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ClamAV and an ML classifier, exhibiting characteristics of a phishing or SEO spam campaign. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of 31 external PDF links, with the primary domain being 'regalbakeryusa.com'. The document body contains garbled text, suggesting it is not intended for direct user interaction but rather as a container for these links. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://regalbakeryusa.com/uploads/1/3/0/7/130775320/754258.pdf
    • http://stoneysbarandgrill.com/uploads/1/3/0/7/130775277/6449868.pdf
    • http://usactingconsulting.com/uploads/1/3/0/9/130969893/349140.pdf
    • http://ncexchangeclub.com/uploads/1/3/0/7/130774993/4827179.pdf
    • http://www.advancedmassagesolutions.com/uploads/1/3/0/7/130740530/lebesegutobo.pdf
    • http://impexportglobalservices.com/uploads/1/3/0/5/130589088/rugaxokasi-guponevimofufi.pdf
    • http://www.hoaonlineservices.com/uploads/1/3/0/7/130775606/popunulidulev.pdf
    • http://www.twoofelke.be/uploads/1/3/0/2/130272932/26da7c447ebaae.pdf
    • http://levy.team/uploads/1/3/0/6/130605380/9799645.pdf
    • http://mycasasale.com/uploads/1/3/0/2/130270914/5856447.pdf
    • http://rcdcgroup.com/uploads/1/3/0/4/130489230/6032081.pdf
    • http://amksecurities.com/uploads/1/3/0/3/130313299/9571958.pdf
    • http://rogerstaxesllc.com/uploads/1/3/0/3/130313063/9a41ff01f.pdf
    • http://underlineconnections.com/uploads/1/3/0/6/130621973/giwomibegen-danuweduteb-zukeximujim-kidofeke.pdf
    • http://geraldkersh.com/uploads/1/3/0/5/130538994/guripuzozux.pdf
    • http://ellachinn.com/uploads/1/3/0/6/130604247/tepamum-gibizutuwoza-govefij-warig.pdf
    • http://musclebears-themusical.com/uploads/1/3/0/7/130738680/feponuwozapekom.pdf
    • http://simplyfabricated.com/uploads/1/3/0/5/130589131/sifamunun.pdf
    • http://fredshield.com/uploads/1/3/0/7/130740123/japojekazanosi.pdf
    • http://allenbygin.com/uploads/1/3/0/7/130776898/gizabeporikigox-rozavisewirimum-bafediperiva.pdf
    • http://onecrescent.us/uploads/1/3/0/3/130379266/8ab1af77133408.pdf
    • http://oceannotions.com/uploads/1/3/0/5/130550763/fexofufozi_lavujesiwuwa_liwaruwomafifup.pdf
    • http://ntwc.group/uploads/1/3/0/8/130814329/mopadoredadagot_wifaxenitoxo_jisosadebebidan.pdf
    • http://axis79.pleasingfood.com/uploads/1/3/0/5/130546923/130546923.html#terapia+barras+de+access+que+es
    • http://allenbygin.com/uploads/1/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017eb.bin
974a0ad9e06e3d599c4fda55363f58ac485a12df46158a6a44f5ca71f124bbab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17EB 10104 bytes
font_01_sfnt_off0000cc21.bin
14bf2aa4999369fc182bc45a2ddc096be090f4998e497360e0cca63f913f7d23		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC21 2392 bytes
font_02_sfnt_off0000d61f.bin
6f13902c56231375baabd7d7a9d552d75f195749e16f985683da6610eceab72e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD61F 2856 bytes
font_03_sfnt_off0000df99.bin
2ad4c29ddce7133df08314b69d1a74b1f4978eac830db1561c727783cb797fdf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDF99 16556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.