Malicious PDF — malware analysis report

Static analysis result for SHA-256 52706c156d16555e…

MALICIOUS

PDF

43.3 KB Authoring application: Nitro PDF
MD5: 0fd79bc925eb894b70ab1ccaa0194673 SHA-1: e5e4d11de0498fcb5f046ff829352489adf019db SHA-256: 52706c156d16555e99f80fd5c5fe9b895e89eba439aeadaa218e9fb1243bc91a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This behavior is characteristic of a link farm used to distribute malicious content or conduct phishing attacks. The ML classifier and ClamAV detection further support its malicious nature. No scripts were extracted from this sample, and the document body was heavily truncated and unreadable, preventing a more detailed analysis of its specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://centennialthree.com/uploads/1/3/0/2/130270923/gureberajazu.pdf
    • http://nestednotebooks.org/uploads/1/3/0/6/130605219/5381022.pdf
    • http://metricdesignstudionyc.com/uploads/1/3/0/7/130739697/80b1f16019878.pdf
    • http://suprimos.club/uploads/1/3/0/5/130589083/xosidogarifolo.pdf
    • http://nicknewmont.net/uploads/1/3/0/6/130604877/5694519.pdf
    • http://superiorauctions.net/uploads/1/3/0/6/130620470/8522724.pdf
    • http://sueadrunkdriver.com/uploads/1/3/0/7/130738996/8f14a1500.pdf
    • http://jcckitchen.org/uploads/1/3/0/7/130739204/7003823.pdf
    • http://tularecountyedc.com/uploads/1/3/0/5/130544687/d8574.pdf
    • http://actuptroupe.com/uploads/1/3/0/3/130324289/8381759.pdf
    • http://clickimagembr.com/uploads/1/3/0/5/130545800/05281d2433d6.pdf
    • http://www.thewellretreat.org/uploads/1/3/0/5/130550666/suxefoj.pdf
    • http://www.theaterzeit.at/uploads/1/3/0/2/130291030/3402689.pdf
    • http://www.suitelifeonsas.com/uploads/1/3/0/5/130550890/b1bd9d1109e192.pdf
    • http://onceuponamonth.net/uploads/1/3/0/5/130542813/7685cdd2.pdf
    • http://thehealtheducationhut.com/uploads/1/3/0/3/130323232/xanitezivimu.pdf
    • http://miltiadesdevelopements.com/uploads/1/3/0/4/130488179/3582276.pdf
    • http://www.spacecreationdesign.com/uploads/1/3/0/7/130740512/130740512.html#preparation+of+cinnamic+acid+from+benzaldehyde+and+malonic+acid+lab+report

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003b08.bin
3bd292bae5d3eb7d690784f8b4669fb71bdc87f948cacd6077b41056a56ea228		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B08 3292 bytes
font_01_sfnt_off0000499f.bin
76114235b1a9d8a4a695c4bddac0569f96cf671e00a75cc202d49e187f96af01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x499F 9340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.