Malicious PDF — malware analysis report

Static analysis result for SHA-256 68482317a8b99c31…

MALICIOUS

PDF

55.2 KB Authoring application: pstoedit
MD5: 52e51ff92d72d39f317c8561737f99e9 SHA-1: c33ca7adbfa79d0a4c947d5fbf3c9fd76cd1ff01 SHA-256: 68482317a8b99c31a5b2cb1ede0e69484ff84905b1072ef9ffa16bcc040be2f3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded links to external PDF documents, as indicated by the PDF_SEO_LINK_FARM heuristic. This technique is often used for SEO manipulation or to distribute malicious payloads. While no scripts were explicitly extracted, the presence of numerous external links suggests a potential for further malicious activity, such as downloading and executing additional malware. The ClamAV detection and ML classifier further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://silverado1998v8.com/uploads/1/3/0/3/130324227/gibosub.pdf
    • http://seductionsyndicate.com/uploads/1/3/0/5/130589151/joveserotigulezez.pdf
    • http://adhdplanet.org/uploads/1/3/0/5/130551298/bubegigowibumi-votujejoxi.pdf
    • http://restorehouse.org/uploads/1/3/0/6/130620454/8797231.pdf
    • http://chunchorecords.com/uploads/1/3/0/7/130739632/natit.pdf
    • http://firstbaptistpj.com/uploads/1/3/0/2/130273735/1443561.pdf
    • http://www.athletesthatgolf.com/uploads/1/3/0/6/130639924/regagumosoxuv.pdf
    • http://quantuminstruments.com/uploads/1/3/0/4/130436181/lelewerafudowix-xaribo-zudulex-mulipovajinema.pdf
    • http://wallgears.com/uploads/1/3/0/8/130874213/fapanemigigovuwopexu.pdf
    • http://www.aliveatfivecgp.com/uploads/1/3/0/6/130620371/5973484.pdf
    • http://eliahypnosis.com/uploads/1/3/0/7/130775567/tujepe.pdf
    • http://trixiekitty.com/uploads/1/3/0/6/130620986/bidon-bulunisowufo-kupusojajapug-wibexawowukepoj.pdf
    • http://markslaughterblog.com/uploads/1/3/0/5/130541662/8663394.pdf
    • http://rockmelbourne.church/uploads/1/3/0/8/130813750/7132332.pdf
    • http://foto-research.com/uploads/1/3/0/7/130738720/bizofuv.pdf
    • http://maths.daveict.com/uploads/1/3/0/3/130323172/buxivojeji-bejurujokiwuja-jelejuzuzo-xasapupamanusis.pdf
    • http://bhsfineartsboosters.org/uploads/1/3/0/3/130324357/130324357.html#adrenal+cortex+hormones+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059ce.bin
4d9ec2aec8f1ca6bebe1b56492fd55a77bba3a6e98efb76508c1b835d4eb9912		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59CE 2860 bytes
font_01_sfnt_off0000633f.bin
ddc6c38a5929b263b215a5b0c7aa8b1a409f146866f06980111f9f21a6232bf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x633F 16036 bytes
font_02_sfnt_off00007ac9.bin
22b441e49374b7883a4ec770789a0bf030a6826d6b2e7d616cff38d5bae76480		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AC9 8924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.