Malicious PDF — malware analysis report

Static analysis result for SHA-256 468854eff72f6058…

MALICIOUS

PDF

36.5 KB Authoring application: Mobipocket Creator
MD5: 98f88764e485eb0ae53d8f271473f718 SHA-1: 5763f1867c95fc3ce35be4ca71d0e8ab58688f53 SHA-256: 468854eff72f60586a702d90dd49cc9476095c95befb3b43d6719826c9b2147f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The heuristic PDF_SEO_LINK_FARM rule specifically identifies the mass external PDF link farm, with the first URL being http://agl-llc.com/uploads/1/3/0/4/130483956/lutejerorawaba_pesaj_perumuxeb.pdf. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://agl-llc.com/uploads/1/3/0/4/130483956/lutejerorawaba_pesaj_perumuxeb.pdf
    • http://autodiscover.mirkesinsurance.com/uploads/1/3/0/8/130814675/ece8dcd19.pdf
    • http://beguerisse.mx/uploads/1/3/0/7/130776714/gevifijizu.pdf
    • http://clintperry.net/uploads/1/3/0/3/130313122/susewixosul_rojaliviwijas.pdf
    • http://ag47silverjewelry.com/uploads/1/3/0/2/130289409/f24e72a38abad7.pdf
    • http://valkyriesurfer.com/uploads/1/3/0/3/130313410/davalovuxito.pdf
    • http://aerohive.tech/uploads/1/3/0/5/130543588/kifekonovewemipos.pdf
    • http://soulilluminations.com/uploads/1/3/0/8/130814728/nefosuk.pdf
    • http://growthhackingfunnel.com/uploads/1/3/0/2/130274109/b86b76a6643ad.pdf
    • http://blueskycenteronline.com/uploads/1/3/0/5/130588499/c8cf2126a1e70fb.pdf
    • http://escgame.com/uploads/1/3/0/7/130776850/7296863.pdf
    • http://www.webfactura.co/uploads/1/3/0/6/130639924/lawewa.pdf
    • http://myfoodforthoughtwithfabs.com/uploads/1/3/0/6/130605314/4872f94565eec2.pdf
    • http://classicmassagestudio.com/uploads/1/3/0/8/130874305/notadazud.pdf
    • http://regentechnology.com/uploads/1/3/0/8/130814143/9163113.pdf
    • http://pragueprivatetransfers.com/uploads/1/3/0/4/130483407/130483407.html#knee+flexion+pain+after+acl+reconstruction

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034d2.bin
c80d5fda8714cf0d44d0e183dcdbbf7009d7062c622ee633630065968160da4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34D2 7528 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.