Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d0dc234fab48163…

MALICIOUS

PDF

42.3 KB Authoring application: Pdftk
MD5: 943e9f080db11ed092b011c3666c8711 SHA-1: 2db5422604afb1278d69e1103f3c8a34b4b87579 SHA-256: 5d0dc234fab48163d86119022239a22e32bbecd997a9d2ddc9c45f8f11d98e47
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded links to external PDF documents, as detected by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this file as malicious. The embedded URLs likely serve to distribute additional malicious content or manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://motwh.org/uploads/1/3/0/9/130969847/nisopepiko.pdf
    • http://hostmaster.stepbystepweb.it/uploads/1/3/0/9/130969628/1500852.pdf
    • http://snappornity.com/uploads/1/3/0/5/130543467/lejubajimerup.pdf
    • http://7mzuqiuziliao.f18.ebkf.org/uploads/1/3/0/6/130603888/jatexes_nifuvinuwosuso.pdf
    • http://www.divadollscouture.com/uploads/1/3/0/5/130588686/xajemavu-noxudisimak-lobig-zugizipamawe.pdf
    • http://ceiltech.net/uploads/1/3/0/5/130539373/1423353.pdf
    • http://urbanvillagefitness.com/uploads/1/3/0/5/130544938/de8c3c4.pdf
    • http://www.georgesgardenforgood.com/uploads/1/3/0/7/130739318/70ab7c6121.pdf
    • http://www.onevigil.com/uploads/1/3/0/9/130968926/modosetunidakigawa.pdf
    • http://tinyscrolls.com/uploads/1/3/0/6/130620887/vovupobarupunolub.pdf
    • http://menstrualmall.com/uploads/1/3/0/7/130739814/3012838.pdf
    • http://www.theallaboutteacher.com/uploads/1/3/0/5/130588864/3614aa23b0.pdf
    • http://cfautobroker.com/uploads/1/3/0/5/130590531/8169368.pdf
    • http://www.seniorremotepc.com/uploads/1/3/0/2/130272988/favidenu-jomumoxuwag.pdf
    • http://ebbandflood.org/uploads/1/3/0/2/130272937/ed80c20db1fe03a.pdf
    • http://zerohcola.com/uploads/1/3/0/7/130738701/bimamusonen.pdf
    • http://kuduproducts.com/uploads/1/3/0/2/130272325/3241062.pdf
    • http://emilymullikindesign.com/uploads/1/3/0/6/130621470/6484193.pdf
    • http://goblintale.com/uploads/1/3/0/6/130639165/0e95645f1e.pdf
    • http://nora-davis.net/uploads/1/3/0/7/130739254/xedarakajuvuru.pdf
    • http://optionsincaring.net/uploads/1/3/0/2/130289549/femipubum.pdf
    • http://bartoncourtstudios.co.uk/uploads/1/3/0/7/130776617/bb55b.pdf
    • http://blackwisdom57.com/uploads/1/3/0/8/130814462/44a803.pdf
    • http://www.jdcarter-vizcom.com/uploads/1/3/0/5/130546000/822499.pdf
    • http://nirvanalove.org/uploads/1/3/0/3/130323454/voniwibiwavif-kipor-zireromotuguv-dosedu.pdf
    • http://man.mediutopia.com/uploads/1/3/0/3/130324292/130324292.html#12+lead+ecg+in+acute+coronary+syndromes

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000041b3.bin
fcf249629d9d6ba3e9e7e2ceaa4bccfe97c2df69caade2e3eeae97c7cacefa18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41B3 7728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.