Malicious PDF — malware analysis report

Static analysis result for SHA-256 3e91feb4fc9948e6…

MALICIOUS

PDF

42.0 KB Authoring application: pstoedit
MD5: a482d1c67eb10ece5750ee14026323eb SHA-1: 16590d8e496ebe9af3fdd544e023c55e19d47f07 SHA-256: 3e91feb4fc9948e6af8391dfc99dbeb9352e0d98dc1cb00925f20564cdc751ec
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute malware. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the critical heuristic 'PDF_SEO_LINK_FARM' strongly indicate a malicious intent. The document body contains fragmented text related to 'Rheumatic fever treatment nz', which appears to be a lure to disguise the malicious link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yerbamama.com/uploads/1/3/0/4/130476912/beebb.pdf
    • http://mexicoluminaria.com/uploads/1/3/0/6/130620345/suwoxut-zavewo-tuwazibuwe.pdf
    • http://seafoodinternational.ca/uploads/1/3/0/6/130639199/kavawiwadumumasexun.pdf
    • http://partyiowa.com/uploads/1/3/0/7/130739225/9f32e2a97.pdf
    • http://recycledbags.net/uploads/1/3/0/5/130541846/ruropugoz_lugusori.pdf
    • http://www.jakartahydroponics.net/uploads/1/3/0/3/130323260/d6094cd116561.pdf
    • http://bluewingstudio.com/uploads/1/3/0/7/130739048/ruwogatosirotuj.pdf
    • http://www.realfoodrd.org/uploads/1/3/0/3/130312976/fowisa.pdf
    • http://artsandhovercrafts.com/uploads/1/3/0/4/130476146/d39bf3cc1dfb0.pdf
    • http://meredithlagerman.org/uploads/1/3/0/6/130621838/xizasudupitogelel.pdf
    • http://gearboxmarketing.com/uploads/1/3/0/6/130622024/fisosida.pdf
    • http://umotivemove.com/uploads/1/3/0/3/130313368/zixutafala.pdf
    • http://canberracelebranteileen.com/uploads/1/3/0/2/130287506/xapet.pdf
    • http://hopebuy.net/uploads/1/3/0/6/130639928/7989463.pdf
    • http://www.dandelionacupuncture.com/uploads/1/3/0/2/130272478/meperimep.pdf
    • http://udo-lindenberg-handsigniert.org/uploads/1/3/0/2/130273987/ferove.pdf
    • http://bartschcchs.com/uploads/1/3/0/6/130604422/redifujefegug.pdf
    • http://kauffmancenterstore.net/uploads/1/3/0/6/130639178/tatumixoxigodobopij.pdf
    • http://www.glenhouseplants.com/uploads/1/3/0/6/130639212/8576671.pdf
    • http://www.ayrical.com/uploads/1/3/0/2/130272573/7528928.pdf
    • http://nursevisit.org/uploads/1/3/0/2/130274282/64638eb801.pdf
    • http://beyondblesstravel.voyagerwebsites.com/uploads/1/3/0/5/130539297/130539297.html#rheumatic+fever+treatment+nz

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000436c.bin
ad63b0532adeed910bc3d940a7c4d07656f8b76bddae4e0194340d7637c397cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x436C 8388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.