Malicious PDF — malware analysis report

Static analysis result for SHA-256 6394b2763faeb76b…

MALICIOUS

PDF

47.4 KB Authoring application: PDFedit
MD5: 19ee4fbee9060b7cd890fd336e401f75 SHA-1: efe45eb4958c021ffd64322dda81351b958234dd SHA-256: 6394b2763faeb76bd81f88c007c932fe764af8bac7bb585ffeb8ed285adecbfb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs pointing to other PDF files, indicative of a link farm or SEO spam campaign. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly suggest malicious intent. The document body, though heavily obfuscated, contains references to popular media, likely as a lure to encourage downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ankezimmermann.ca/uploads/1/3/0/4/130435631/nudufa.pdf
    • http://kdpublishers.com/uploads/1/3/0/4/130483266/puzesazevon-xurubidegu-gebumi.pdf
    • http://mobadanceacademyus.com/uploads/1/3/0/5/130539336/b119c4d160cba94.pdf
    • http://kidcoteam.com/uploads/1/3/0/6/130620380/worisux.pdf
    • http://zenipe.audiostart15.icu/uploads/2020/01/29/duketipu.pdf
    • http://simpledesignsbyjennifer.com/uploads/1/3/0/4/130483631/pijiguw.pdf
    • http://solarscrappers.com/uploads/1/3/0/5/130550775/28053fba69cd015.pdf
    • http://canuplaysports.com/uploads/1/3/0/2/130288854/ralowedapadun_meburukotosut_poribu_zuzakezosi.pdf
    • http://carlsbadcleaningservices.com/uploads/1/3/0/2/130291545/c05a5.pdf
    • http://zambiasafarihunting.com/uploads/1/3/0/2/130288301/130288301.html#descargar+los+caballeros+del+zodiaco
    • http://***********.net/download/27897.2c7434da9edcea3f560c837528f6/torneo_galactico.rar.htmlIkki
    • http://***********.net/download/27720.2621a0e985a998438ebe47e2abc2/caballeros_negros.rar.htmlSeiya
    • http://***********.net/download/96268.998bb98ebed3cc8341c128a0320c/santos_de_plata.rar.htmlEsta
    • http://***********.net/download/23082.2811c04fe452457bae1898f4ea57/12_casas.rar.htmlHilda
    • http://***********.net/download/98231.9060608cd4840786ccf7ea467787/ashgar.rar.htmlUna
    • http://***********.net/download/29491.2ba6d3b22e2ea9adcc55e0c30d46/poseidon.rar.htmlDespu��s
    • http://***********.net/download/04162.0c4cef380a25001b607dbc67eab4/hades_santuario.rar.htmlLos
    • http://***********.net/download/40891.4da30b5ee0c83ca210abfbea0f2c/hades_infierno.rar.htmlSeiya
    • http://***********.net/download/41483.4de7fe2e644dec81d2cca54295bb/hades_eliseos.rar.htmlCABALLEROS

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001331.bin
8fd9eaaa2c4152ac4b49f00b382159c37fa7c5058c0523e4b57fe2bad1ddfbea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1331 10376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.