Malicious PDF — malware analysis report

Static analysis result for SHA-256 5059d440972a5531…

MALICIOUS

PDF

39.3 KB Authoring application: Soda PDF First seen: 2021-02-20
MD5: e43152817a3eaaa7c33cda7a7b3ff309 SHA-1: 3886a3cd37c1d3ffbd795e47837b84b5f655ecc9 SHA-256: 5059d440972a55313a9d7470608f98df0ceecba0549e77ec78d47802f9c04e85
152 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lulu.skynetdonate.xyz/uploads/2020/01/28/tumipiseteguk_pamek_dowufosafa.pdf In PDF document text
    • https://lafugowo.weebly.com/uploads/1/3/0/2/130289746/xabigunatenotum-zofixemopizotos-xonuxevos-pizibov.pdfIn PDF document text
    • http://aufgutdeutsch.net/uploads/1/3/0/4/130490181/peduzupuwowe.pdfIn PDF document text
    • http://sadaxix.stoneprocessingtool.ru/uploads/2020/01/27/a4936.pdfIn PDF document text
    • http://bien-etre-dans-sa-peau.com/uploads/1/3/0/6/130605273/pedalugoj-gosonijifujaf-sirizabaxefowu.pdfIn PDF document text
    • http://duvetefexo.verairazum.ru/uploads/2020/01/28/5766509.pdfIn PDF document text
    • http://myriadpharmacy.com/uploads/1/3/0/2/130270892/7384135.pdfIn PDF document text
    • http://taylorbethbland.com/uploads/1/3/0/6/130621488/9102865.pdfIn PDF document text
    • http://fly-def.us/uploads/1/3/0/6/130605019/478d0d03d2.pdfIn PDF document text
    • https://pemivarup.weebly.com/uploads/1/3/0/3/130313152/8e6197c1a.pdfIn PDF document text
    • http://medicinari-njemacka.com/uploads/1/3/0/3/130323158/pitofijusuxedevas.pdfIn PDF document text
    • http://market-voice.ru/uploads/2020/01/28/rafuzo.pdfIn PDF document text
    • http://revivalmission.info/uploads/1/3/0/4/130483871/1448245.pdfIn PDF document text
    • https://wefexatipenikeb.weebly.com/uploads/1/3/0/3/130313433/vibit-vozogotavir-sunutugususib.pdfIn PDF document text
    • http://doubletuvision.com/uploads/1/3/0/5/130545885/marat.pdfIn PDF document text
    • https://ruxenozekaxurup.weebly.com/uploads/1/3/0/2/130270893/tipisafevi.pdfIn PDF document text
    • http://federicafruhwirth.com/uploads/2020/01/29/damevedaragon.pdfIn PDF document text
    • http://nativenationarts.com/uploads/1/3/0/4/130483741/tarujeg.pdfIn PDF document text
    • http://microhavens.com/uploads/1/3/0/5/130539979/130539979.html#lake+eufaula+ok+crappie+fishing+reportIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001725.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1725 7800 bytes
SHA-256: 6e91ef06a1b71a7d4c48618b362668f6d2c28c2cad2909b8882efce0376d111b