Malicious PDF — malware analysis report

Static analysis result for SHA-256 419d57b7e3387f4a…

MALICIOUS

PDF

47.4 KB Authoring application: Adobe PDF Library 9.0
MD5: e5b25cb2307f831c9a3c4510dcf47d7e SHA-1: 4875c9fc9c84dfcadbce699a038ee24eadc24742 SHA-256: 419d57b7e3387f4a01a307b08ab3292d7ba5605929f0a5cd0cebfde6f2f75dcc
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. The ML_NYX_PDF_MALICIOUS heuristic and ClamAV detection further support its malicious nature. The embedded URLs likely lead to further malicious content or phishing sites. The document body itself is heavily obfuscated and contains a mix of legitimate-sounding text and what appears to be encoded data, but the primary malicious activity is driven by the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://loselelu.weebly.com/uploads/1/3/0/5/130550783/1827606.pdf
    • http://charitymanager.weebly.com/uploads/1/3/0/4/130476145/1894152.pdf
    • http://talexig.evaluados21.com/uploads/2020/01/28/betoz.pdf
    • http://rockthecatspa.net/uploads/1/3/0/4/130476744/runuduzimodumiwo.pdf
    • http://letzdizcuss.com/uploads/1/3/0/2/130270834/mofekugidulit_ligozopiz_lopisegelole.pdf
    • https://lekakulasajuged.weebly.com/uploads/1/3/0/5/130590375/golovojewigegujep.pdf
    • http://ndcmun.weebly.com/uploads/1/3/0/5/130590689/bifumejezogavax.pdf
    • http://cleaningclinic.shop/uploads/1/3/0/4/130476688/zepakukujujopek_mabidovokogexir_rozabowugaliloj.pdf
    • http://andrianaediting.ca/uploads/1/3/0/6/130621036/4967875.pdf
    • http://ngmsband.weebly.com/uploads/1/3/0/6/130640095/kaxixuxufozo.pdf
    • http://stroyrema.ru/uploads/2020/01/27/aa4a4c.pdf
    • http://jixakajog.homecookingbook.com/uploads/2020/01/29/ronojodabigatezobok.pdf
    • http://phhlca.org/uploads/1/3/0/6/130639444/4adad.pdf
    • http://espace-clientsv3-0range.com/uploads/2020/01/28/108677.pdf
    • http://pugilin.tiningthet.pro/uploads/2020/01/27/teguderaso.pdf
    • http://37408014.nhd.weebly.com/uploads/1/3/0/2/130289224/130289224.html#angular2+dashboard+template+github

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000149b.bin
207e5239091ef7adfed0f2c59bae15a9a0a6187b38ecae2484d0ec1a79768f16		 pdf-font-stream PDF embedded font (sfnt) at offset 0x149B 9548 bytes
font_01_sfnt_off00006884.bin
7fe9062a295e236ea58e038cb02099623d84d66b18dfc8bbcbe16b036cb258b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6884 16220 bytes
font_02_sfnt_off00007d68.bin
8ec8c2252d1b0a1cc16637c0e1f77da7137146423e231c53be47bbaf832064ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D68 2048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.