Malicious PDF — malware analysis report

Static analysis result for SHA-256 58bf0c9c79107f41…

MALICIOUS

PDF

46.8 KB Authoring application: pdf-parser
MD5: 2adeb285fff7a1812084c9486b6cc840 SHA-1: 5007057058e2dc1424bd3f7ea0ebd33017b2003c SHA-256: 58bf0c9c79107f41cddf4f2ecb183dbcdb91889521a6a25e9f86fdee214bda6a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, a technique commonly used for phishing or distributing further malware. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs likely lead to malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9987

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://treasureoftheworld.org/uploads/1/3/0/6/130620484/cab145ac663d.pdf
    • http://333survival.com/uploads/1/3/0/4/130483454/minikoxomawe.pdf
    • http://stadetrucking.com/uploads/1/3/0/5/130588272/afecec.pdf
    • http://musclegear-asia.com/uploads/1/3/0/5/130543106/tizivivunomemun.pdf
    • http://talesfromcatmountain.com/uploads/1/3/0/8/130874192/d6082eab93.pdf
    • http://www.hemisphereforest.com/uploads/1/3/0/4/130435945/gufarituputatajek.pdf
    • http://excelatms.net/uploads/1/3/0/3/130323738/4bb69917f0775.pdf
    • http://ps110k.com/uploads/1/3/0/2/130291433/gupekex-zimobutulud.pdf
    • http://newnextsf.com/uploads/1/3/0/5/130588596/pafalosukepopolobima.pdf
    • http://milescan.com/uploads/1/3/0/4/130435499/pewiz-lorovovuka.pdf
    • http://www.newenglandroofing.com/uploads/1/3/0/5/130551427/pefonerubux-lelavebeveku-jutovuxaden.pdf
    • http://chaionlineshopping.com/uploads/1/3/0/5/130543063/4303349.pdf
    • http://delicado.shop/uploads/1/3/0/2/130270768/4135387.pdf
    • http://natashiapandther.com/uploads/1/3/0/7/130776247/mifen.pdf
    • http://cbaptistmurillo.com/uploads/1/3/0/6/130604417/bigakosipozejatede.pdf
    • http://aliahjan.co.nz/uploads/1/3/0/5/130550698/lomoxuj.pdf
    • http://power2paws.com/uploads/1/3/0/7/130740437/aa435a64.pdf
    • http://sherwoodrooster.com/uploads/1/3/0/5/130539735/suduluvuka-sozum-kepejowokez.pdf
    • http://newburghmodelrrclub.org/uploads/1/3/0/6/130621460/zajanububuju.pdf
    • http://thereeflab.com/uploads/1/3/0/7/130738945/sunofamamafajag-menubew-gagase.pdf
    • http://fiberproxy.org/uploads/1/3/0/6/130605462/6b825a.pdf
    • http://rockypointsecurity.com/uploads/1/3/0/7/130740412/4633946.pdf
    • http://basicist.com/uploads/1/3/0/4/130478709/6235671.pdf
    • http://mooreequineevents.com/uploads/1/3/0/4/130435672/juzoxizi.pdf
    • http://atasteofjamaicaandmore.com/uploads/1/3/0/2/130289201/130289201.html#passive+voice+past+simple+past+continuous+exercises
    • http://www.newenglandroofing.com/uploads/1/3/0/5/130551427/pefon

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003bcf.bin
65ca2fa633a49bc637c245e3469a24bec82cbb291b9200d770c42ee2df1588ac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BCF 16096 bytes
font_01_sfnt_off00005354.bin
dfc385ba51fe1998988a8ab484e9094768c5b3cee6eb3d3ce33872f5ceceade3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5354 8112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.