Malicious PDF — malware analysis report

Static analysis result for SHA-256 586dbf5397a433ec…

MALICIOUS

PDF

59.5 KB Authoring application: Solid Converter PDF
MD5: cf7e3947ceb988dd2c37c2bca97fe684 SHA-1: d521c4f46b2ade7b140abb04864d28d6c2fec2ac SHA-256: 586dbf5397a433ecf33e92719003671330704676f3dc6f9b817e55cf93273011
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document was flagged by multiple heuristics, including a critical alert for a large number of embedded external links, suggesting a link farm or distribution mechanism. The ML classifier also strongly indicated maliciousness. The embedded URLs point to numerous PDF files, indicating the primary purpose is to redirect users to external content, likely for SEO spam or to serve further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mid-ohiovalleybulk.weebly.com/uploads/1/3/0/4/130488371/labutefitiwim_waguxesatevapij_vibanob.pdf
    • http://krishnaandnatansh.com/uploads/1/3/0/6/130621404/6023978.pdf
    • http://movedomaintonewaccttest.com/uploads/1/3/0/3/130312980/de02c.pdf
    • http://freespiritslongisland.com/uploads/1/3/0/5/130539871/9480540.pdf
    • http://spotlightphotos.net/uploads/1/3/0/2/130289558/sovivabalirekiwi.pdf
    • http://mysafeheaven.com/uploads/1/3/0/4/130435672/xavujuza-vodiriribaref.pdf
    • http://mslodersclass.weebly.com/uploads/1/3/0/5/130539759/0c330.pdf
    • http://suwinojod.gamer-card.com/uploads/2020/01/27/varoderob_xokuvupuwatasi_xuviwal_xenofo.pdf
    • https://tonevazumijavud.weebly.com/uploads/1/3/0/3/130379864/gatetomelib.pdf
    • https://daviwamasazoluz.weebly.com/uploads/1/3/0/5/130538981/89075.pdf
    • http://shopsheldons.com/uploads/1/3/0/3/130379074/3bfc62.pdf
    • http://14daychallengecom.com/uploads/1/3/0/4/130476162/4639854.pdf
    • http://carnegieam.org/uploads/1/3/0/2/130289371/9a8e405fae.pdf
    • http://mytaj-prembenefits.com/uploads/1/3/0/5/130542734/9369405.pdf
    • http://led-chicago.com/uploads/1/3/0/5/130588424/8098900.pdf
    • http://collinsmslibrary.org/uploads/1/3/0/4/130488401/visisabozofujen_mutatasag.pdf
    • http://campbellsdental.com/uploads/1/3/0/2/130288468/7168570.pdf
    • http://hobipago.com/uploads/1/3/0/6/130620869/e42b0419.pdf
    • http://centrprava40.ru/uploads/2020/01/27/8018518.pdf
    • http://consultorianora.com/uploads/1/3/0/6/130604028/noniw.pdf
    • http://theprocessperfomance.com/uploads/1/3/0/4/130476778/futanadutep_rinana_xaran_dusexewo.pdf
    • http://bestreviewscbd.com/uploads/1/3/0/4/130478868/nimazamurevo-vilamoridan.pdf
    • http://nisevip.frmclinicsrussia.ru/uploads/2020/01/28/8140918.pdf
    • http://cityglush13.icu/uploads/2020/01/27/nijedi.pdf
    • http://vestmoglobal.com/uploads/1/3/0/5/130590462/gadosuserezaru.pdf
    • http://applyfordisabilitynow.us/uploads/1/3/0/2/130272603/130272603.html#ost+age+of+youth+butterfly

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001956.bin
5ab70a2301cf526ef3a26017db6cbc9c41cbe00cad988f98d79bf9ac3b3791d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1956 8356 bytes
font_01_sfnt_off00006d10.bin
b80a5c003d70237372709d105215d399a13d85ef9e4e2ecc90c8e37f08db6523		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D10 5088 bytes
font_02_sfnt_off00007b65.bin
01cc69c0ff4eb497c4b31324848ebafef62d767031ac7a49e12fb253a856a0e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B65 17156 bytes
font_03_sfnt_off000094ba.bin
d692f9c1608ddf187e0d5b0fd96723e278b3b48f862f1abadbc8ef5cb2f3cbaf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94BA 11292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.