Malicious PDF — malware analysis report

Static analysis result for SHA-256 645dbd3a4e46289d…

MALICIOUS

PDF

37.9 KB Authoring application: Mobipocket Creator
MD5: 4a330c612a11366d13e0c7bd92c06ada SHA-1: 906a742b4c6c8785951aeb0f6ebbb29aba8e9149 SHA-256: 645dbd3a4e46289dc4d408166a21f9dd6cd41063f9fb60f8dc22d8d3468b1930
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of a link farm or a mechanism to distribute further malicious content or engage in SEO manipulation. The ClamAV detection and ML classifier strongly suggest malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wenebe.superstudy.ru/uploads/2020/01/29/f8f48b817046.pdf
    • http://5pointauto.com/uploads/1/3/0/4/130435658/56d3ac9b46bcdd5.pdf
    • http://usmgsol.com/uploads/1/3/0/3/130379227/kugufesupuvu_pofiri_juvezimobikek_vogigadojiveri.pdf
    • http://mrtechyon.com/uploads/1/3/0/5/130551114/4605736.pdf
    • http://starcustomsgr.com/uploads/1/3/0/5/130545884/tinimomovefadiw_bujef_texivujopeja_vabijavaxe.pdf
    • http://scimedart.com/uploads/1/3/0/5/130547515/50affe3b5fe2.pdf
    • http://mrscooterrentals.net/uploads/1/3/0/6/130621682/6016714.pdf
    • http://kreativekidsworld.com/uploads/1/3/0/6/130621165/130621165.html#apprendre+a+dessiner+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000123d.bin
ec4355ee820fd88d02064f385f026fbf04bd53ea2b4760eaaa041b0cb1b285b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123D 10680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.