Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c9062f06982b164…

MALICIOUS

PDF

40.3 KB Authoring application: Soda PDF
MD5: e95c80ade2673665bbf90c986c2fcbf9 SHA-1: f35c1f51accb5211d46d18f99f32c0249f3e7400 SHA-256: 5c9062f06982b16437dd69e51df151fb3920f899933806c7f382f08139f0826b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, identified as a link farm, which are likely intended to redirect users to malicious content. The heuristic 'PDF_SEO_LINK_FARM' and the ClamAV detection 'Pdf.Dropper.Agent-7812385-0' strongly indicate a dropper functionality. The embedded URLs are likely used to host and deliver second-stage payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7812385-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7812385-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thecranberrystore.com/uploads/1/3/0/6/130604305/misetiwijejowadopu.pdf
    • http://lernposter.club/uploads/2020/01/27/3609025.pdf
    • http://robinsnestfunraiser.org/uploads/1/3/0/6/130605168/porefugebaw.pdf
    • https://vajijinu.weebly.com/uploads/1/3/0/5/130552097/8530829.pdf
    • http://tere.osteosys.org/uploads/2020/01/28/pibivi_fedubavumor_jirexesiv.pdf
    • http://3busy.net/uploads/1/3/0/4/130476605/3408158.pdf
    • http://delarkiltd.com/uploads/1/3/0/5/130541743/2965986.pdf
    • https://tasugoju.weebly.com/uploads/1/3/0/5/130544591/746d3e.pdf
    • http://frostsurveyors.com/uploads/1/3/0/5/130588988/pevorude.pdf
    • https://pigupukomamotax.weebly.com/uploads/1/3/0/4/130483205/darezorisuwovuvijug.pdf
    • http://ceecentre.com/uploads/1/3/0/4/130476661/jifuwevukexunul.pdf
    • https://litepowi.weebly.com/uploads/1/3/0/3/130379575/tenake.pdf
    • http://nworparenting.com/uploads/1/3/0/4/130476589/mudef.pdf
    • https://ronijuwe.weebly.com/uploads/1/3/0/4/130435578/xafume_jumemov.pdf
    • http://burningspark.com/uploads/2020/01/28/silaw-bopusipejipile-kesun.pdf
    • http://edsoncustomcruisers.com/uploads/1/3/0/6/130603874/8676982.pdf
    • http://ompeacelove.com/uploads/1/3/0/6/130603807/f359a8.pdf
    • http://lifib.remont-msk3.icu/uploads/2020/01/28/66b8353d.pdf
    • http://muxof.asdklo.xyz/uploads/2020/01/27/xogejuvodisudul.pdf
    • http://mongomuscleapparel.com/uploads/1/3/0/5/130550744/491152.pdf
    • http://keziavitangcol.com/uploads/1/3/0/2/130272575/kesupuvutudaxere.pdf
    • http://suite201escaperoom.com/uploads/1/3/0/4/130477541/vudafubova-lopigovifenad-sugolotezexu.pdf
    • http://nimbus-realty.com/uploads/1/3/0/4/130435891/tixifizoge-rezeraxoz.pdf
    • http://reveriebelgns.com/uploads/1/3/0/5/130551677/130551677.html#d%C3%A9couper+un+pdf+en+plusieurs+pages

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001721.bin
f1debcb5c4cc6c16e5e5c171e399b906b7de78cd41695999a8e8ab9718e81493		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1721 9812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.