Malicious PDF — malware analysis report

Static analysis result for SHA-256 670bef992d6d8206…

MALICIOUS

PDF

42.8 KB Authoring application: Karbon
MD5: bb59c00c562fa0472d9a51bca02a778e SHA-1: 393907bb88b799a2843966c6e7a4d5bb3047a6c4 SHA-256: 670bef992d6d8206a1e828e1e317e0136f703a99683200d01a61667a16900a2f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link-farming or content-hosting scheme. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically classified as phishing. The embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vakame.topfloor.space/uploads/2020/01/28/giwip.pdf
    • http://18xx.fun/uploads/2020/01/27/vubas.pdf
    • http://salaz.photorobots.com/uploads/2020/01/28/gilitizov-nutexokufe.pdf
    • https://mevozeruzavar.weebly.com/uploads/1/3/0/5/130541131/busurakevoto.pdf
    • http://believe-in-good-food.nl/uploads/1/3/0/6/130605312/fexasarixuz.pdf
    • http://milwaukeesfavoritedj.com/uploads/1/3/0/4/130476873/lenusefeniv.pdf
    • http://migow.dog-express.ru/uploads/2020/01/28/refidod.pdf
    • http://thundergodband.com/uploads/1/3/0/3/130323513/dumibivet_lileda_xenevutoxaz.pdf
    • https://wikaripunupa.weebly.com/uploads/1/3/0/4/130436139/kosalub.pdf
    • http://rucontent.ru/uploads/2020/01/28/fbb14.pdf
    • http://pacayas-farm.com/uploads/1/3/0/5/130588584/zikepixu.pdf
    • http://riverbendoutdoors.com/uploads/1/3/0/4/130490681/548f3d4.pdf
    • https://kowelutixo.weebly.com/uploads/1/3/0/4/130488486/817455c22f.pdf
    • http://theseaba.com/uploads/1/3/0/3/130324206/woxewuwub-xexir-lelexuke-siwetutej.pdf
    • https://sejidedijoj.weebly.com/uploads/1/3/0/4/130483413/nokafu_kemupizabob_xozupoxunogux.pdf
    • http://lagu.tehnika-ask.ru/uploads/2020/01/28/322722.pdf
    • http://dak.kpbulgakovo.ru/uploads/2020/01/27/vukusiwuk_jajofufa_sisaw.pdf
    • http://skycaptainsocial.com/uploads/1/3/0/5/130551486/6378811.pdf
    • http://triamantdigital.com/uploads/1/3/0/5/130539871/lodonivogejulul.pdf
    • https://jixowexe.weebly.com/uploads/1/3/0/3/130379463/005dea9e.pdf
    • http://closeandpaschalauction.com/uploads/1/3/0/4/130476432/fumujubixodet-jinivokoli-kusunemi-xarifo.pdf
    • https://toxofumumoxuf.weebly.com/uploads/1/3/0/3/130323888/7333060.pdf
    • http://danielreist.org/uploads/1/3/0/5/130550768/dijunimuxun_sugexovewufixu_maxakupot_keluzis.pdf
    • http://northveiw.com/uploads/1/3/0/3/130379475/4215547.pdf
    • http://worksafehsesolutions.com/uploads/1/3/0/2/130289485/8687772.pdf
    • http://woodlandstuition.com/uploads/1/3/0/2/130287929/130287929.html#adobe+acrobat+standard+dc+v+2017+cz

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001861.bin
abeba5ce59c0c398a7d20f64393d0bdd04c91171697b1cfffd83b4e7e95b40ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1861 10172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.