Malicious PDF — malware analysis report

Static analysis result for SHA-256 43f206fdce7eb296…

MALICIOUS

PDF

39.5 KB Authoring application: Nitro PDF
MD5: e52f1e8882e08aa0941feb74fb76f2eb SHA-1: 5dff70c7e635d0b6d755337d1a91ded294aa5621 SHA-256: 43f206fdce7eb296cac263fba901d853057339489f271b5d20cb65150eef0d98
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many pointing to suspicious domains, indicating a link farm for phishing or malware distribution. The document body text, while partially corrupted, mentions PDF to Word conversion and includes numerous URLs, reinforcing the lure. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports the phishing and traffic redirection nature of this document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://gisuketasepo.weebly.com/uploads/1/3/0/3/130323738/0eafd842.pdf
    • http://fixivovur.youmindpower.win/uploads/2020/01/29/784d52d6f.pdf
    • http://gowidogi.mstaml-tb.icu/uploads/2020/01/28/3955776.pdf
    • http://topmuscle.ru/uploads/2020/01/29/6443010.pdf
    • http://goxa.hhwarehouse.com/uploads/2020/01/29/5352986.pdf
    • http://villarosavisuals.net/uploads/1/3/0/4/130483355/2151455.pdf
    • https://xejonosagudija.weebly.com/uploads/1/3/0/4/130435755/japiberusuze-konoxipasudon.pdf
    • https://fovulogok.weebly.com/uploads/1/3/0/5/130588336/080ff281c75a.pdf
    • https://rasukibo.weebly.com/uploads/1/3/0/5/130588692/689aa3e90ecff9d.pdf
    • http://oilschool.ca/uploads/1/3/0/5/130538986/suwoviguduxule-rikud-ruwivibamamux-xetavul.pdf
    • http://xajeme.pp-offer.club/uploads/2020/01/29/3d504c6246f7.pdf
    • http://classicmassagestudio.com/uploads/1/3/0/6/130620888/5252363.pdf
    • http://zivatove.cityglush18.icu/uploads/2020/01/28/b3a50.pdf
    • https://suwigotiwuziw.weebly.com/uploads/1/3/0/6/130605116/doteverug-wazixixawi.pdf
    • http://fbnanovein.xyz/uploads/2020/01/27/1215113.pdf
    • http://regixamewi.alltoptoxx.ru/uploads/2020/01/28/wokeruxov.pdf
    • https://viveramomugob.weebly.com/uploads/1/3/0/5/130588270/1835052.pdf
    • http://downtownsenecasc.com/uploads/1/3/0/6/130621542/130621542.html#change+pdf+to+word+file

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000158c.bin
b7bd94b2b5c7db68184f47ab22db0dbe3b5922cb0cd5862ff6db5b22f80096d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x158C 9832 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.