Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a63f69e4ac9133a…

MALICIOUS

PDF

53.9 KB Authoring application: Serif PagePlus
MD5: ebbc019086fda84114337072350c19d3 SHA-1: 1bf6d8c2771cbbbb35bc8e33390a0d50e9d98540 SHA-256: 4a63f69e4ac9133a8bf3be46d945e8755133a40f7c931ccfe5934e551c8aec96
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies the mass linking behavior, with the dominant host being 'phase2concerts.com'. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://phase2concerts.com/uploads/1/3/0/7/130776516/paranokugel.pdf
    • http://newriver-yoga.com/uploads/1/3/0/4/130488243/lejunapatoruj.pdf
    • http://www.krwell.net/uploads/1/3/0/2/130271087/5324384.pdf
    • http://melissakingcounseling.com/uploads/1/3/0/4/130489172/kinisusedikalaj.pdf
    • http://procoat-irl.com/uploads/1/3/0/5/130539255/a446142eabf9e.pdf
    • http://arcanagame.com/uploads/1/3/0/2/130289749/1b5747075.pdf
    • http://atlantaenforma.com/uploads/1/3/0/6/130605156/nasasametajagib_vorivobup_zazuxafetorewa.pdf
    • http://tripvector.org/uploads/1/3/0/4/130476004/gitujur_jivedugixuk_juselepokofon_lelifivovu.pdf
    • http://servicepartnervanderveenassen.nl/uploads/1/3/0/4/130483086/lejosivumemena.pdf
    • http://personalnutritionist4u.com/uploads/1/3/0/9/130969426/33761.pdf
    • http://www.fitnessconnectioncenter.net/uploads/1/3/0/3/130313320/d330e29.pdf
    • http://hostmaster.callcenterh24.it/uploads/1/3/0/4/130476075/823a7106b76a962.pdf
    • http://duilawvt.net/uploads/1/3/0/4/130479123/2dd55ce5bd.pdf
    • http://carolynrim.com/uploads/1/3/0/5/130588508/66bd43ead8.pdf
    • http://thomasohanlon.com/uploads/1/3/0/5/130551310/2698399.pdf
    • http://mail.7leather.com/uploads/1/3/0/5/130540010/9357995.pdf
    • http://youkulele.us/uploads/1/3/0/6/130620467/9382247.pdf
    • http://oj1ixg.bdgct.com/uploads/1/3/0/8/130813764/130813764.html#logistic+regression+multinomial

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007331.bin
101155e9e67961cf60d0b606f3d2e5ecfc1a7eca46e7073e1d6d6e7877313d71		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7331 9484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.