Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e43463f58149ce5…

MALICIOUS

PDF

65.5 KB Authoring application: Karbon
MD5: ef9b56f409f03e28772393ecb84c05c3 SHA-1: b2741f15490f1ed55ee8554eb41d5989c86bb61e SHA-256: 3e43463f58149ce5394f59a88100526a22889dc3362a47301c9bf195cf76ab7f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0 and a machine learning classifier indicated a high probability of maliciousness. The heuristic PDF_SEO_LINK_FARM indicates the document contains a mass external PDF link farm, with several of these links pointing to potentially malicious domains. The embedded URLs are likely used to redirect users to malicious sites for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9972

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://younglitigator.org/uploads/1/3/0/2/130272640/ba13263d18.pdf
    • https://wojurabajel.weebly.com/uploads/1/3/0/2/130288427/6e470d895ad50f2.pdf
    • http://paytosite.icu/uploads/2020/01/27/zuzusuni.pdf
    • http://audiostart42.icu/uploads/2020/01/29/sonegapudilox.pdf
    • http://employeeadvocateinstitute.net/uploads/1/3/0/3/130323674/919b4bcacb1.pdf
    • http://kerriturnerpianostudio.com/uploads/1/3/0/4/130477805/fetapofokoxamafaro.pdf
    • http://misssupremepurityqueen.com/uploads/1/3/0/2/130289581/130289581.html#aarti+durga+mata+ki

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001221.bin
c08852dbfeadcea2c8477a18338ff8784987f716231caa8f0ab7735fef8a756d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1221 7348 bytes
font_01_sfnt_off00008416.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8416 16036 bytes
font_02_sfnt_off0000983a.bin
91cf9cd4efac8f69dcdf587659185da8236567bce3e9e4f6a5ecd944f50fae4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x983A 1428 bytes
font_03_sfnt_off0000a2cf.bin
3ba9f96447c00471f7abf73ed1662153ee84ed334419b42576122d4688253235		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2CF 17264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.