Malicious PDF — malware analysis report

Static analysis result for SHA-256 58a2905d359a945c…

MALICIOUS

PDF

41.7 KB Authoring application: Solid Converter PDF
MD5: c4bb70d7d3efeed64feadc75312e71f3 SHA-1: 020f3fcbb44b75b231c9482e913ce4d8305b3266 SHA-256: 58a2905d359a945c710205dbc36f2e0b585b81e82be5cb6adfcd9897790f27e2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files hosted across various domains. This behavior is indicative of a link farm or redirection scheme, likely intended to lead users to malicious content or phishing pages. The ClamAV detection and ML classifier strongly support a malicious classification. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://minefotografier.com/uploads/1/3/0/2/130289259/682513.pdf
    • http://fivestarparties.net/uploads/1/3/0/4/130489969/63a1a850ab.pdf
    • http://theclosetchange.com/uploads/1/3/0/5/130588942/xurumo_xakuram_zalimekogi.pdf
    • http://bronyfest.org/uploads/1/3/0/6/130639629/zewebanadiros.pdf
    • http://willpowergroup.net/uploads/1/3/0/8/130814234/5e4a7b95d2f868.pdf
    • http://tampa321sold.com/uploads/1/3/0/2/130291416/sozutedigofi-liluza-butasekur-fowazifun.pdf
    • http://thesustainables.net/uploads/1/3/0/7/130775632/88740cd14e.pdf
    • http://www.mudhookbc.com/uploads/1/3/0/5/130588545/5396740.pdf
    • http://www.moyasgin.com/uploads/1/3/0/7/130775029/nugofosarusotu_diwatobule.pdf
    • http://hpbyg.dk/uploads/1/3/0/4/130483295/6901848.pdf
    • http://lapersonalinjurylawyer.net/uploads/1/3/0/2/130289334/4d9ab21672e.pdf
    • http://srpjewelry.com/uploads/1/3/0/5/130546333/kemomoxoxibaba_guzozezo.pdf
    • http://satinandromance.com/uploads/1/3/0/6/130621455/6723585.pdf
    • http://holub.life/uploads/1/3/0/4/130489159/3099396.pdf
    • http://big-boss-money.com/uploads/1/3/0/4/130483953/topavinexumumaw-wutegu.pdf
    • http://anxiouslittlepishy.com/uploads/1/3/0/2/130289304/tofepukafizaluguz.pdf
    • http://www.rojosiena.org/uploads/1/3/0/4/130436513/6270241.pdf
    • http://nybestdentist.net/uploads/1/3/0/5/130589085/3530515.pdf
    • http://www.dchudphotography.com/uploads/1/3/0/8/130813134/5bac4b168965497.pdf
    • http://diagmal.eu/uploads/1/3/0/3/130323157/121010973be.pdf
    • http://profesionallashes.com/uploads/1/3/0/5/130551491/c84b3.pdf
    • http://africanubuntusafaris.com/uploads/1/3/0/4/130493037/fofewadimuwa_kulabotivafujul.pdf
    • http://vcconsulting.ca/uploads/1/3/0/4/130483350/134aecc00838c6.pdf
    • http://food.mackay101.com/uploads/1/3/0/7/130738639/6258421.pdf
    • http://ccrewdogs.com/uploads/1/3/0/6/130621579/lojumuzevizilot.pdf
    • http://www.qianqianpig.com/uploads/1/3/0/4/130489563/130489563.html#addendum+to+lease+agreement+template+south+africa
    • http://lapersonalinjurylawyer.net/uploads/1/3/0/2/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003eb2.bin
75dc378f3552bf4a26b26a6f332416d6c5e3cc9a481b688ac1bd5e11e99b7176		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3EB2 7968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.