Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ccf5039ae3838ad…

MALICIOUS

PDF

60.4 KB Authoring application: ImageMagick
MD5: ce8e9138bb8a87f742e8c6546569c5a6 SHA-1: e95b9ab7c58e02ef32308565dbbea862469360a1 SHA-256: 4ccf5039ae3838ad999c6a159651f9f17046c8c184ae31f6fd045a4f16ed67b1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule, indicating a large number of embedded external links. The ML classifier also strongly indicated maliciousness. The embedded URLs likely serve as lures to phishing sites or for further malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stand2serve.net/uploads/1/3/0/6/130620668/6ed96e1af.pdf
    • http://mercadohuanacaxtle.com/uploads/1/3/0/4/130435978/gajisarad_fogosofokokerok_juzewezif.pdf
    • http://buckfinishes.com/uploads/1/3/0/6/130640060/wujibamuzuregetoru.pdf
    • http://tomografiaveterinaria.com/uploads/1/3/0/3/130313557/divuxirinofezodu.pdf
    • http://little-blossom-boutique.com/uploads/1/3/0/7/130775831/b3e39214274d.pdf
    • http://mslegalmojacar.com/uploads/1/3/0/4/130436188/4841613.pdf
    • http://orlandolisted.com/uploads/1/3/0/8/130813497/4425390.pdf
    • http://kakkelovner.com/uploads/1/3/0/6/130603954/6234520.pdf
    • http://alcoholfreepregnancymn.com/uploads/1/3/0/5/130588751/7257041.pdf
    • http://bauerhomemakerservices.com/uploads/1/3/0/5/130588328/dukebugisawagogum.pdf
    • http://sallycasey.com/uploads/1/3/0/2/130272396/8392375.pdf
    • http://iphoneuserexperience.com/uploads/1/3/0/7/130775610/gunusixakisoxewu.pdf
    • http://mikefumes.com/uploads/1/3/0/6/130603928/rodawumesip.pdf
    • http://jonathanbrain.net/uploads/1/3/0/6/130605030/romewaxewenupu.pdf
    • http://aishinnu.com/uploads/1/3/0/2/130272862/mugoriv.pdf
    • http://bellabee.org/uploads/1/3/0/2/130289474/8764a38d9b05b.pdf
    • http://osaapps.com/uploads/1/3/0/4/130436078/ed4864.pdf
    • http://www.drycleaningw.com/uploads/1/3/0/4/130483862/f11b6147c.pdf
    • http://ns.sandiego-ymf.org/uploads/1/3/0/9/130969297/gudala.pdf
    • http://arlencollisioncenter.com/uploads/1/3/0/5/130588499/051700874.pdf
    • http://organicbluedonkey.com/uploads/1/3/0/3/130323298/d979f74f.pdf
    • http://bainessphsdrama.com/uploads/1/3/0/4/130489220/314c3fdb.pdf
    • http://dualfoods.com/uploads/1/3/0/7/130776185/kilogu-fejitow.pdf
    • http://ibnem.slpny.com/uploads/1/3/0/7/130775465/130775465.html#critical+control+point+definition+business

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001318.bin
6f92f34f8ed571a67f3a8b01ed1244b13977fe33909105e1bdf959242295858d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1318 9012 bytes
font_01_sfnt_off00009b88.bin
d459ff9d9192a86415cf32b375e7121a13d7d35788aedfb3a2b50e9975528c65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B88 16108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.