Malicious PDF — malware analysis report

Static analysis result for SHA-256 6523959bd3d8636b…

MALICIOUS

PDF

97.9 KB Authoring application: QPDF
MD5: e7f5f5ed730fc1a900f7300c155057a7 SHA-1: 65ac3b45bbe27444c1b5fefa57aa890ee418f37c SHA-256: 6523959bd3d8636b6ee48506da0c0e813251f654ebf2384d0f5c9d778eb68a81
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was flagged by multiple heuristics, including a critical finding for a PDF link farm containing 31 external links. The embedded URLs suggest a phishing or malware distribution campaign. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rockyridgeacres.org/uploads/1/3/0/4/130489072/674681.pdf
    • http://kunurin.factandi.tech/uploads/2020/01/27/wefofiforonu-jekivejo.pdf
    • http://zovugominu.wedid.ru/uploads/2020/01/27/348852f02f5.pdf
    • http://mirigos.tvori-shedevr.ru/uploads/2020/01/28/89bdfb1de2.pdf
    • http://thecurbcompanyllc.net/uploads/1/3/0/3/130379232/6295261.pdf
    • http://bmnfire.com/uploads/1/3/0/3/130323914/b761c8cb3d.pdf
    • https://muxuruwakik.weebly.com/uploads/1/3/0/5/130589220/361793.pdf
    • http://ligexama.op2r.icu/uploads/2020/01/28/75dca.pdf
    • http://agm001.icu/uploads/2020/01/27/2671746.pdf
    • http://log-pool-table.com/uploads/1/3/0/3/130313284/8295349.pdf
    • http://keepdivealive.com/uploads/1/3/0/6/130640072/61486c7df40.pdf
    • http://khv-gsm.ru/uploads/2020/01/28/2344099.pdf
    • http://sumezepon.tailgaitproweb.xyz/uploads/2020/01/29/8254851.pdf
    • http://vietnamconsult.online/uploads/2020/01/27/fojul.pdf
    • https://nusukigulol.weebly.com/uploads/1/3/0/5/130539497/basisuvopefumu.pdf
    • https://vujofonevejum.weebly.com/uploads/1/3/0/5/130551245/gewaj_nasowuzobo_lakukikeledar.pdf
    • https://bawefomubaduver.weebly.com/uploads/1/3/0/4/130483842/9574073.pdf
    • https://tuvoluji.weebly.com/uploads/1/3/0/5/130546244/vunenuzaxewavoza.pdf
    • http://mscbmx.com/uploads/1/3/0/6/130639757/f9556bd8c4a08e.pdf
    • http://letssimplify.us/uploads/1/3/0/6/130604805/568c09184.pdf
    • http://zedozowale.agicole-acces.com/uploads/2020/01/28/4813391.pdf
    • http://ker.difmed.com/uploads/2020/01/29/sepomuwurogolisenu.pdf
    • http://photosyouask.com/uploads/1/3/0/5/130539597/130539597.html#c+p+w+full+form
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017fd.bin
12a74b754820c189dcde3a916d2380ce08bfc2062f5b673d105ee38930c377ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17FD 8316 bytes
font_01_sfnt_off0001049a.bin
fb31025025499a0fb01c3c1bd89e32baf051e66ef536a35089523545b6160756		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1049A 16248 bytes
font_02_sfnt_off00011d79.bin
9622898eda93030e798e42ddf21425d7def646e8d37d0b9ca2f72fe2479ad70d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D79 20132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.