Malicious PDF — malware analysis report

Static analysis result for SHA-256 6214d7c73ca45cb7…

MALICIOUS

PDF

34.1 KB Authoring application: Pdftk
MD5: ecbd413c538dc761c5ebd983fc670c61 SHA-1: 7a78e781d51be84a4aad18f9de65a07f67261b98 SHA-256: 6214d7c73ca45cb7f275691c78883a79fb5fbd908daa24ada40d704e437cdf0e
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of embedded links, identified as a link farm, which are likely intended to redirect users to malicious websites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate a phishing or malware distribution intent. The embedded links are designed to lure users to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moxi.fastforcash.xyz/uploads/2020/01/28/durused.pdf
    • http://medicinari-njemacka.com/uploads/1/3/0/5/130589393/5972604.pdf
    • http://madeformorecreations.com/uploads/1/3/0/4/130490444/rumupisipeli.pdf
    • http://zusobix.najiyagalimova.com/uploads/2020/01/27/bazobama-zawavaxu-jilosubusedobas-dipesomidawiwi.pdf
    • http://internmentor.com/uploads/1/3/0/5/130590521/1fa040557c1e324.pdf
    • https://fexobisev.weebly.com/uploads/1/3/0/4/130490328/3187072.pdf
    • http://nag.greecestyle.ru/uploads/2020/01/28/demume.pdf
    • https://vewariwovosu.weebly.com/uploads/1/3/0/4/130435583/zolizuvidatuxonoz.pdf
    • http://express36.ru/uploads/2020/01/27/jawojugoniratuxub.pdf
    • http://rumafu.jitoli.icu/uploads/2020/01/28/7292915.pdf
    • http://lechenienarkomanii-kostroma.ru/uploads/2020/01/29/2b407ec685182b.pdf
    • http://letterdetectives.com/uploads/1/3/0/4/130483844/7424769.pdf
    • http://nerijoj.new-m2.ru/uploads/2020/01/27/06c92d4a00c0df0.pdf
    • http://mef.copyrightcontact-1000021974142.com/uploads/2020/01/28/pebofula.pdf
    • http://witteringsfitness.com/uploads/1/3/0/6/130620881/zadivilusevip_joxad_kunipudotine_sapebig.pdf
    • https://zadoxuvavupuso.weebly.com/uploads/1/3/0/4/130476669/4262782.pdf
    • http://kej.garden-centr.ru/uploads/2020/01/28/xozarulo.pdf
    • http://jugofowu.vipiski-besplatno63.icu/uploads/2020/01/29/4812936.pdf
    • http://zazuwuna.wellsonlineserviceverifications.biz/uploads/2020/01/27/4801953.pdf
    • http://fortnite-store.info/uploads/2020/01/27/f4507740d6cf.pdf
    • http://glamkings.com/uploads/1/3/0/5/130588732/vojid.pdf
    • http://jo-ocean.com/uploads/1/3/0/5/130588997/130588997.html#monster+manual+5e+the+trove

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015e5.bin
23bcad4ea101afe6fd59a5a8a2b1a1f819e81180b51c4ab2db987edffc89158c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15E5 7188 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.