Malicious PDF — malware analysis report

Static analysis result for SHA-256 623d900829474f70…

MALICIOUS

PDF

32.7 KB Authoring application: Mobipocket Creator
MD5: 8b0d1b53b08ac9281cfde4202bb96226 SHA-1: 63cd31f24c2b34af227cd9b0090c401dafdecf97 SHA-256: 623d900829474f70b72a30a06dd5a54be2485b3cb81373068571e3abd9f9eed0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of embedded external links, identified as a link farm. The ClamAV detection and ML classifier strongly indicate maliciousness, specifically a phishing or redirection attempt. The primary attack pattern involves directing users to a multitude of external PDF files hosted on various domains, likely to distribute malware or engage in SEO-based scams.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://daveyoberlin.com/uploads/1/3/0/6/130621675/f2abf6d90b.pdf
    • http://renova-skin.com/uploads/1/3/0/2/130288962/8572242.pdf
    • http://artm.online/uploads/1/3/0/5/130590339/ac1573c9306.pdf
    • http://jones106.com/uploads/1/3/0/7/130739223/b35cad41d.pdf
    • http://fearoftheunknownseries.com/uploads/1/3/0/8/130813903/pijid_falukam.pdf
    • http://www.seltacoma.com/uploads/1/3/0/5/130539215/revuxedeguxutufivom.pdf
    • http://www.synergycsllc.com/uploads/1/3/0/6/130620525/6972894.pdf
    • http://mysonnyrae.com/uploads/1/3/0/6/130621587/6c1a752945.pdf
    • http://ssvfcpc.org/uploads/1/3/0/6/130639709/xusinovuli.pdf
    • http://oratert.host/uploads/1/3/0/3/130379183/zuxobagaser.pdf
    • http://clarke-ts.betterfield.net/uploads/1/3/0/2/130287424/fac50554e06b1b5.pdf
    • http://thechinahustle.us/uploads/1/3/0/5/130543198/d891e6.pdf
    • http://nyingma-summer-seminar.com/uploads/1/3/0/5/130588747/ladatiruwo_mudanovodekib.pdf
    • http://74-123-73-20.mgwnet.com/uploads/1/3/0/2/130288542/130288542.html#%E2%80%A2+procedimiento+anal%C3%ADtico+o+pormenorizado

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000027de.bin
ee7433e0980ea34c6c3a3b67bf55a2cce1ce62a17115b1fe22e1b265711b2bad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x27DE 7972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.