Malicious PDF — malware analysis report

Static analysis result for SHA-256 5687bbb39ef41a5d…

MALICIOUS

PDF

61.6 KB Authoring application: PDF Studio
MD5: e8e48ba37e5217ee7510a35a48546ea5 SHA-1: f96058a60fa252537cb25094923eb01975a7ed12 SHA-256: 5687bbb39ef41a5d1960fb2edcc5b530d483fcb3393a20448f687d4683765406
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF files, indicating a link farm or distribution mechanism. The ClamAV detection and ML classifier strongly suggest malicious intent, consistent with a dropper or downloader. No scripts were extracted, but the heuristic 'PDF_SEO_LINK_FARM' indicates the primary function is to host and link to numerous external PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7881506-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7881506-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://aronkodeshesbydesign.com/uploads/1/3/0/5/130588299/6670108.pdf
    • http://strengthpluscardio.com/uploads/1/3/0/2/130289166/xidemosutofabipus.pdf
    • http://nice-body.net/uploads/1/3/0/6/130605307/7638827.pdf
    • http://ketosupplements.us/uploads/1/3/0/6/130604551/3699080.pdf
    • http://turkeyvilla.info/uploads/1/3/0/7/130739713/fotuvatakifovo-fobovazamu-wenojulalibabuw-pejifokekusata.pdf
    • http://koonyagarlicfestival.com/uploads/1/3/0/3/130324072/842fd.pdf
    • http://bottomlesshole.com/uploads/1/3/0/2/130287914/xapatulokuzanot.pdf
    • http://signalhill.com.au/uploads/1/3/0/6/130605420/a71ce21d.pdf
    • http://stevehetrick.com/uploads/1/3/0/4/130435834/eb49da082.pdf
    • http://businessbella.com/uploads/1/3/0/4/130483309/cf6de4d03.pdf
    • http://msh.design/uploads/1/3/0/2/130287960/cf9ae98.pdf
    • http://rpprincess.com/uploads/1/3/0/7/130740138/fasobalosi.pdf
    • http://literary.cafe/uploads/1/3/0/6/130604373/086453.pdf
    • http://wikiemt.com/uploads/1/3/0/5/130544001/6d23290da2.pdf
    • http://fromper.com/uploads/1/3/0/6/130620972/baxubenul.pdf
    • http://domainesaintmichel-provence.com/uploads/1/3/0/5/130542996/4043776.pdf
    • http://beatzbylex.com/uploads/1/3/0/7/130739185/8611666.pdf
    • http://younglivingdaily.com/uploads/1/3/0/6/130639220/1446f7e1e849.pdf
    • http://sillycibin.com/uploads/1/3/0/8/130814462/namozobu.pdf
    • http://zhuanjia.bpmtc.com/uploads/1/3/0/5/130545421/130545421.html#carol+of+the+bells+on+piano+sheet+music
    • http://literary.cafe/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015ff.bin
f501b19ca75b59d633dc269ee19dc3fb6c25662621d28f144e058ead0eee768c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15FF 10360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.