Malicious PDF — malware analysis report

Static analysis result for SHA-256 43dfab6c1848eaf2…

MALICIOUS

PDF

37.9 KB Authoring application: PDFBox
MD5: dd5a8792d199fc5a313a5bd45b865dfa SHA-1: a04e9d8b4ec1b8001047f1a8e562b88f58dcfd4d SHA-256: 43dfab6c1848eaf277ab4bc945f3a3531379e30fff638dc1bbd47ffe87fdceda
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF_SEO_LINK_FARM heuristic indicates a large number of embedded external links, a common technique for SEO poisoning and phishing. The ML classifier and ClamAV detection further support the malicious nature of this PDF. The embedded URLs likely lead to further stages of attack, such as credential harvesting or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://my-smile.top/uploads/2020/01/27/cdfd4.pdf
    • http://dancedietitian.com/uploads/1/3/0/6/130603976/8402971.pdf
    • http://gelu.lifecreditus.ru/uploads/2020/01/27/2243681.pdf
    • http://var.19shop-ua.top/uploads/2020/01/28/5432928.pdf
    • https://zilukepezos.weebly.com/uploads/1/3/0/5/130588214/powufuxiwa.pdf
    • https://kudefinigumol.weebly.com/uploads/1/3/0/2/130270907/8bc175339b43.pdf
    • http://sewaneepilates.com/uploads/1/3/0/2/130289776/b8d21238f4ffc.pdf
    • http://mindsets.net/uploads/1/3/0/6/130620764/ribulexetaje-bimowigalewabeg-kugazuwuj.pdf
    • http://bitimecash.com/uploads/2020/01/27/1365533.pdf
    • http://leoescamilla.com/uploads/2020/01/27/fabixosu-fesuru-munofox-raxiduduputuw.pdf
    • http://ciggysound.com/uploads/1/3/0/6/130621431/burigeruberodam.pdf
    • http://pe-uae.com/uploads/1/3/0/6/130639304/9523580.pdf
    • http://adagedanceanddrama.com/uploads/1/3/0/6/130604344/2828851.pdf
    • http://nationalbusinesseducationweek.com/uploads/1/3/0/4/130476141/131041.pdf
    • https://mezuzubedikul.weebly.com/uploads/1/3/0/3/130323403/e7cdc2.pdf
    • https://goropetinopuj.weebly.com/uploads/1/3/0/5/130551115/36be7f475f25c.pdf
    • http://nod.shyamaprasad.in/uploads/2020/01/27/xedivitilowu_fusugoji_vitoduse_jujodevop.pdf
    • https://guxosavuleg.weebly.com/uploads/1/3/0/4/130492689/lesavesusaforu-bunadetup-mudekox.pdf
    • http://darkstonetv.com/uploads/1/3/0/5/130551126/zodejunezusamefu.pdf
    • http://aspccc.com/uploads/1/3/0/4/130483300/a0a2c.pdf
    • http://laren.paypal-account-support.bz/uploads/2020/01/28/3505732.pdf
    • http://nosborne.com/uploads/1/3/0/6/130604034/e2e03ddc6.pdf
    • http://anticosmetologist.com/uploads/2020/01/27/24abb4.pdf
    • http://nwcenterautos.org/uploads/1/3/0/3/130323155/9642015.pdf
    • http://agelessfitness.net/uploads/1/3/0/3/130313037/130313037.html#lagu+hanya+rindu+metrolagu+online

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016ca.bin
4221b0d6f79634b266c8cc3b7c4301bab3a7c5cb85192e6ac06c184075bf3e30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16CA 7504 bytes
font_01_sfnt_off0000578c.bin
6bb4616891b14494a0d7454118927f90edf2f5d3d7520645e060bceedca75288		 pdf-font-stream PDF embedded font (sfnt) at offset 0x578C 2716 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.