Malicious PDF — malware analysis report

Static analysis result for SHA-256 542245c84173db8f…

MALICIOUS

PDF

62.6 KB Authoring application: GIMP
MD5: 29555d4f382742700ff29698328f76a7 SHA-1: 95c99284f090a4903aad39354bb38068296aaabe SHA-256: 542245c84173db8f152f3317ff6831d5ab7ef4664c87d01c68fe3ffe3b18aafb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this file as malicious. The embedded URLs are likely used to distribute phishing content or for SEO spamming purposes. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://maghazin1.fun/uploads/2020/01/28/8051a.pdf
    • http://gobutoje.pansionat-chaika.com/uploads/2020/01/28/sijasim.pdf
    • http://mole-man.co.uk/uploads/1/3/0/3/130323377/85901bea7b.pdf
    • http://palmex.ca/uploads/1/3/0/4/130476601/dabigitabotu.pdf
    • https://buvajufa.weebly.com/uploads/1/3/0/3/130379155/bekeba.pdf
    • http://christbook.org/uploads/1/3/0/4/130435578/1563322.pdf
    • http://annachojnacka.nl/uploads/1/3/0/2/130289308/rexasigerudez_dabawap_leluvusos_bajifinevi.pdf
    • http://mirkamalmi.com/uploads/1/3/0/4/130483990/babdb8932b4.pdf
    • http://molizu.raz-ezzhaya.ru/uploads/2020/01/27/9236310.pdf
    • http://sqgcorporation.com/uploads/1/3/0/5/130551153/0f37e8c0c2c877.pdf
    • http://veksvetodiodov.ru/uploads/2020/01/27/pegiworigi.pdf
    • http://rajumiwewi.go-new.xyz/uploads/2020/01/28/8519871.pdf
    • http://artani360.com/uploads/1/3/0/5/130551262/8703419.pdf
    • http://cafe-oldbaku.ru/uploads/2020/01/27/982b6ae8.pdf
    • http://sampstealer.xyz/uploads/2020/01/27/nudabigifagutov.pdf
    • http://chernobylite.net/uploads/2020/01/28/pifovuxiv_fowemolu.pdf
    • http://boleda.deevki.icu/uploads/2020/01/28/wutabifuveweno.pdf
    • http://3bbabyblankets.com/uploads/1/3/0/6/130639278/luredobufupam.pdf
    • http://ginekologjakiel.pl/uploads/1/3/0/5/130551727/893ed62280.pdf
    • http://trentriverdesigns.com/uploads/1/3/0/5/130544898/130544898.html#matt+damon+the+informant+trailer

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011b6.bin
419bb98351604f6a81de28a34b252723e9549b08979a2e29e9dc1d16698ccca8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B6 10216 bytes
font_01_sfnt_off0000a3bc.bin
a348e10cd1cc97841f34a4cd25247c8e85e03a2891beebf6cb58a28bfe823997		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA3BC 20932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.