Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ae469c25cd8aa56…

MALICIOUS

PDF

35.9 KB Authoring application: Nitro PDF
MD5: 0e6093ca12d0b58be23476f9bf0f2831 SHA-1: ddac66245948c8bad13ebf2046f05fe7a3482a87 SHA-256: 4ae469c25cd8aa56952354bfaa1ceec09ed498bfd59c557c891a9bc7fe00f241
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs, forming a link farm. This is indicative of a phishing or malware distribution campaign, as suggested by the 'PDF_SEO_LINK_FARM' and 'ML_NYX_PDF_MALICIOUS' heuristics. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports this assessment. The primary goal appears to be directing users to download further malicious content from the listed URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mobajo.dljatebja.com/uploads/2020/01/28/bikowafetas.pdf
    • http://accipiterbikes.com/uploads/1/3/0/3/130379078/aa49bfba0ff.pdf
    • http://countingwithelliot.com/uploads/1/3/0/5/130590356/7f3f8a859.pdf
    • http://eventandmeetingplanning.com/uploads/1/3/0/5/130550968/7225918.pdf
    • http://pinkgorillaejuice.com/uploads/1/3/0/3/130379492/b360422c6.pdf
    • http://mayaoak.club/uploads/1/3/0/8/130874192/b6dc82e144e4.pdf
    • http://nebraskasolarschools.net/uploads/1/3/0/5/130551023/a3ab59e2cc.pdf
    • http://radtacular.net/uploads/1/3/0/5/130543262/rexidimut_fipesiwegoru_figutanejo.pdf
    • http://mycityrebate.com/uploads/1/3/0/6/130639365/nakorugozogu.pdf
    • http://myadnteam.com/uploads/1/3/0/4/130483263/bagadogob.pdf
    • http://myonepynt.com/uploads/1/3/0/7/130739488/mudilivijoxi.pdf
    • http://lexicon.edu.in/uploads/1/3/0/4/130477135/4939923.pdf
    • http://astralprojectioncoursewithjerrygross.com/uploads/1/3/0/7/130776818/mujalu_doparoxiwivezi_nenazerinuveduz.pdf
    • http://doicontrol.com/uploads/1/3/0/2/130274316/9addc2c81f31a.pdf
    • http://motorcyclestereo.net/uploads/1/3/0/5/130590507/xadedoko-zatafajakix.pdf
    • http://safechildcoalition.net/uploads/1/3/0/5/130590105/1462075.pdf
    • http://waso.amazon-sellers-check.com/uploads/2020/01/28/nofokuniwex-jonumajufepe.pdf
    • http://miningintelligencecapital.com/uploads/1/3/0/3/130313289/rapage.pdf
    • http://artm.website/uploads/1/3/0/5/130539990/domipeno.pdf
    • http://streamlinenation.net/uploads/1/3/0/6/130620928/918111.pdf
    • http://multistreams.com/uploads/1/3/0/5/130551087/130551087.html#as9100+scope+statement+examples

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002dd4.bin
a002a1ed4db07f146fd3bd8c72d8674e5ca67b6620ed0d58cb2bcfaaa274905c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DD4 7540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.