Malicious PDF — malware analysis report

Static analysis result for SHA-256 4931a170a28c4410…

MALICIOUS

PDF

40.2 KB Authoring application: Nitro PDF
MD5: e6d5d3bb8f982d236106fe65b6666142 SHA-1: 37783f834b0d2b0a2606a8bc72cb60997536d7c5 SHA-256: 4931a170a28c44109dce9d3254b6ad9eaf9f882deacf6def4a29c163bfcefc50
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body, though heavily obfuscated, contains references to medical terms, possibly as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dongoad.com/uploads/1/3/0/5/130543538/3821770.pdf
    • http://geterdonehnb.com/uploads/1/3/0/3/130379347/roxizisaram.pdf
    • http://www.askinspine.com/uploads/1/3/0/8/130815097/lojawojekinafekor.pdf
    • http://amarbeck.com/uploads/1/3/0/6/130604547/de7353f91ef.pdf
    • http://chickenland.net/uploads/1/3/0/2/130272577/5870148.pdf
    • http://musicandpeople.com/uploads/1/3/0/9/130969179/995f9c4d7e4f11.pdf
    • http://newbreedbrewchews.com/uploads/1/3/0/7/130776068/2628796.pdf
    • http://www.photo-artgallery.com/uploads/1/3/0/7/130740316/givusepiwos-fomuxuvejug.pdf
    • http://droughtdesigns.com/uploads/1/3/0/2/130287886/4678170.pdf
    • http://webmail.hanskombucha.com/uploads/1/3/0/6/130604151/9b29f42d50a174.pdf
    • http://www.meyer-eng.com/uploads/1/3/0/6/130620737/wamujibuw.pdf
    • http://nsuelite.gammaxiques.org/uploads/1/3/0/6/130604371/130604371.html#enterococcus+faecalis+sepsis+icd+10

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003328.bin
34a12fb865653b1729c914106297c27ce977c13041e291af2b71d48969de71c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3328 4468 bytes
font_01_sfnt_off00004421.bin
9429e93ff36e331cd6c56dcf6a4c1d7c0fd6f25ba8c922077fa38b2adadfb45b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4421 9168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.