Malicious PDF — malware analysis report

Static analysis result for SHA-256 659194d02fda8f46…

MALICIOUS

PDF

34.5 KB Authoring application: QPDF
MD5: 1e7a18f78b36a6f763fc12f2001144ca SHA-1: 7f8c720a507fce2bb8c53f52bbdaaa7b64899fa4 SHA-256: 659194d02fda8f469fb84aa17792c97d4fc0ab270d259ed7d0a63ec238c9bd8e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links to other PDF files, masquerading as an Android application download. This behavior is indicative of a phishing or malware distribution scheme. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to distributing further payloads or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://modestotowingservice.com/uploads/1/3/0/5/130590297/2929612.pdf
    • http://thumbderstruck.com/uploads/1/3/0/7/130738705/gixexuxur.pdf
    • http://cameronmallory.com/uploads/1/3/0/6/130620274/3c167a15bec44c.pdf
    • http://arscom.com/uploads/1/3/0/8/130874400/rovasi_berek_zidimowegovu.pdf
    • http://www.jubileomarianoporlapaz.com/uploads/1/3/0/3/130313038/nokotoposid.pdf
    • http://www.hardingriver.com.au/uploads/1/3/0/6/130604363/badazabikiz.pdf
    • http://www.pinklilyjewelry.com/uploads/1/3/0/4/130489097/1571331.pdf
    • http://www.mykimbarey.com/uploads/1/3/0/8/130874408/kakep.pdf
    • http://www.creativwork.net/uploads/1/3/0/6/130620280/819386.pdf
    • http://www.catelecommunications.co.uk/uploads/1/3/0/7/130739284/gegepewesufezij.pdf
    • http://mx.grandsalinelibrary.com/uploads/1/3/0/9/130969504/130969504.html#filezilla+server+android+apk

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000308f.bin
c81155715107b09cb553330d49351bdd683564b3f8e10b7f52dde67106b87601		 pdf-font-stream PDF embedded font (sfnt) at offset 0x308F 8040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.