Malicious PDF — malware analysis report

Static analysis result for SHA-256 52b4fbc724032cd4…

MALICIOUS

PDF

67.7 KB Authoring application: ImageMagick
MD5: adc947c3d6263d58e0ada45485c19faf SHA-1: 0cf54dc316f571df854fa441f8203f0c0944161e SHA-256: 52b4fbc724032cd49f22223aa4746c54db2804f5cd6b88db4b3f6eca9b856dbf
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute malicious content. The ClamAV detection and ML classifier further support the malicious nature of this file. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://achickandherpeas.com/uploads/1/3/0/6/130621826/gotejitawegoti.pdf
    • http://ldeleon.net/uploads/1/3/0/8/130873957/cb884a82.pdf
    • http://nailsbymargaret.com/uploads/1/3/0/4/130436089/6efb829.pdf
    • http://magnetminders.com/uploads/1/3/0/4/130476632/vowonuzirixenototizu.pdf
    • http://aimpointprojects.com/uploads/1/3/0/7/130740224/furokozisub.pdf
    • http://feezell.org/uploads/1/3/0/6/130605017/e53609996fa.pdf
    • http://skinbeautybymaggie.com/uploads/1/3/0/5/130551472/9b00824ca8.pdf
    • http://norfolkeyephysiciansandsurgeons.com/uploads/1/3/0/5/130551127/7479027.pdf
    • http://blackhillsresorts.net/uploads/1/3/0/7/130774981/fuwesokinepi.pdf
    • http://amersonelite.com/uploads/1/3/0/5/130550823/vuwoxanumadugizofiju.pdf
    • http://fby4.com/uploads/1/3/0/4/130483122/509a1e.pdf
    • http://www.ccorvidae.com/uploads/1/3/0/6/130604769/mopuzu.pdf
    • http://www.minamohit.com/uploads/1/3/0/7/130740140/xilivonubinedunujoda.pdf
    • http://scentedpens.com/uploads/1/3/0/6/130621909/fiponovenorutivigit.pdf
    • http://www.hauntingwego.com/uploads/1/3/0/7/130739015/3666328.pdf
    • http://logophilecomics.com/uploads/1/3/0/6/130620494/nijibonubapen_dewux.pdf
    • http://nottinghamkickboxing.com/uploads/1/3/0/7/130776025/da399aba2b46.pdf
    • http://freespiritleisure.online/uploads/1/3/0/5/130551457/jefejipumijirofevo.pdf
    • http://rockyrunafterschool.com/uploads/1/3/0/5/130589085/dinoru.pdf
    • http://j4partnersllc.com/uploads/1/3/0/2/130289480/130289480.html#definition+of+globalization+pdf+journal

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015b8.bin
00bf61e17202febdc104ef64cc00be9cee3f7a9b2bdf4f64f52bed7891e3f784		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15B8 9208 bytes
font_01_sfnt_off0000c3cc.bin
f335bbb8769c533cbca16f6384a9be7e2e65528b9693bf598f9b6a21ed261b2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC3CC 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.