Malicious PDF — malware analysis report

Static analysis result for SHA-256 484167fa2b8d5c8f…

MALICIOUS

PDF

78.2 KB Authoring application: Adobe PDF Library 9.0
MD5: 0767b60944992023759a4af897ec8d14 SHA-1: 7d16552975c27320ab09ecf9b857f3f0665760f5 SHA-256: 484167fa2b8d5c8f19e63449eaf1b6099986cc8ff60d0c64c936633be2b23641
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by multiple heuristics, including a critical finding of a link farm containing 31 external PDF links. The ML classifier also strongly indicated maliciousness. The embedded URLs are likely used to redirect users to phishing sites or download further malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.crowndbychrissy.com/uploads/1/3/0/6/130622013/burujonubesagen_pixepamujig_gerugejogex.pdf
    • http://mail.dirtyoldbasters.com/uploads/1/3/0/8/130874257/f5fb68.pdf
    • http://mobilebillboardssantaclara.com/uploads/1/3/0/6/130620752/xolira.pdf
    • http://sales9-pc.pleasingfood.com/uploads/1/3/0/9/130969194/kerudotefovenogusene.pdf
    • http://houseofoptics.com/uploads/1/3/0/7/130775741/9061764.pdf
    • http://erichotel.com/uploads/1/3/0/6/130620819/9779122.pdf
    • http://boston2ireland.com/uploads/1/3/0/2/130291658/3815786.pdf
    • http://bearvbaby.net/uploads/1/3/0/6/130605010/nifigu_jiguvixoj_suguvilugoreg.pdf
    • http://scfsfacultyportal.net/uploads/1/3/0/5/130590702/jidinixodaw.pdf
    • http://mvcheerpoms.org/uploads/1/3/0/3/130313249/63a8ba88.pdf
    • http://deliciasawyertravels.com/uploads/1/3/0/7/130739423/dusateb.pdf
    • http://mountaincreekresortrentals.com/uploads/1/3/0/5/130551154/968364.pdf
    • http://onelifehealthcenter.net/uploads/1/3/0/7/130739479/xudetusabi-zuvomegulo-jewafadidutari.pdf
    • http://2clearlycharming.com/uploads/1/3/0/6/130621211/jarovuratix-zinidefi-bowaserud-folitatanudutu.pdf
    • http://health-e-resources.com/uploads/1/3/0/5/130589393/53291c.pdf
    • http://entrenadorafranco.com/uploads/1/3/0/4/130435589/8fb2aa7a.pdf
    • http://shopgoodplant.com/uploads/1/3/0/3/130323723/613c1.pdf
    • http://kbassokinesiology.com/uploads/1/3/0/6/130639456/8c8e4a55302.pdf
    • http://thesharpetraveler.com/uploads/1/3/0/8/130814784/6827467.pdf
    • http://courtneysuzannelee.com/uploads/1/3/0/6/130639110/vizesevadaxudewus.pdf
    • http://tren.net/uploads/1/3/0/5/130588927/d86c1a685ec.pdf
    • http://comtec.ch/uploads/1/3/0/5/130588780/tuluragoseb_tozupobuwel_sojozunasomome_jekirumok.pdf
    • http://host193.carmichaelnl.com/uploads/1/3/0/7/130738755/130738755.html#focus+on+vocabulary+1+pdf+vk
    • http://kbassokinesiology.com/uploads/1/3/0/6/130639456/8c8e4a5

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001f64.bin
819741c98ab7ff74d4cbab97a4df3e3ca5b2d21f45d1ba373aca19f7ac897618		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F64 13488 bytes
font_01_sfnt_off0000f8c5.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF8C5 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.