Malicious PDF — malware analysis report

Static analysis result for SHA-256 46672fa2e3b2588a…

MALICIOUS

PDF

52.9 KB Authoring application: ImageMagick
MD5: 2889532a0c26a8297c545a9953d7ab4d SHA-1: 33a73e190419898b47cbe187a6daac0a50dac767 SHA-256: 46672fa2e3b2588a9960df9b0df4c4af1d89877eee75d7aa3e6c201e0497474d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate maliciousness. The primary attack pattern involves directing users to a link farm of external PDFs, likely to achieve a malicious goal such as phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nicolebarry.ca/uploads/1/3/0/6/130605228/2da801441e5c33b.pdf
    • http://posojik.masterpechi.ru/uploads/2020/01/29/6469924.pdf
    • https://pekuwajexet.weebly.com/uploads/1/3/0/6/130603772/43c0ec53.pdf
    • http://htools.ua/uploads/2020/01/28/fejujogoz_xovowagovi.pdf
    • http://johnlinneballtutoring.com/uploads/1/3/0/6/130620512/da1ec180.pdf
    • http://shiftingtides.net/uploads/1/3/0/6/130605421/32cdf2c16b881a.pdf
    • http://guxadurek.goodbreak.ru/uploads/2020/01/27/rawibufumarif.pdf
    • http://supremeservices.org/uploads/1/3/0/2/130289763/735c28c35f650.pdf
    • http://pyro.ru/uploads/2020/01/28/dixosix-gorajik-begebok-midoxutetu.pdf
    • http://bassittdesigns.com/uploads/1/3/0/6/130604640/xegaxobogebixe.pdf
    • https://fomakumu.weebly.com/uploads/1/3/0/2/130289265/wapam.pdf
    • http://tuz.irbispartner.ru/uploads/2020/01/28/xopigenizupezoto.pdf
    • http://right-style.ru/uploads/2020/01/27/1307703.pdf
    • http://ckfacials.com/uploads/1/3/0/4/130435571/825999.pdf
    • http://puv.1305shop05.fun/uploads/2020/01/28/7b684fff017ac2.pdf
    • http://bartolomeilaw.com/uploads/1/3/0/4/130488158/130488158.html#viber+for+android+play+store

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000147a.bin
f2a9549222d19f9d6934c3704915e7c1bae3f12cb9b204584f974848e3f77e0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x147A 9928 bytes
font_01_sfnt_off000074a0.bin
825dbeb66390f26c2dafe519847c594efa5a0e14e1057cb529fb72653de9bbc0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74A0 13992 bytes
font_02_sfnt_off000093b1.bin
bb66d78edca8aa75a8db461931e44ad6eab12e4cd439df836d92d13c6ef6c22d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93B1 2668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.