Malicious PDF — malware analysis report

Static analysis result for SHA-256 69f0990f55da0ebb…

MALICIOUS

PDF

46.8 KB Authoring application: Solid Converter PDF
MD5: f653f0a83d6dfb396234e3ce435f2acb SHA-1: a8c0a30356e8d11c3ebf7ea062ea4327e3f730a6 SHA-256: 69f0990f55da0ebbb5fc4cd6beeb92a7bfc540102d209a2bdfce394fc17f3450
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file contains a large number of embedded URLs, identified as a link farm, which is a common tactic for SEO poisoning and distributing malicious content. The ClamAV detection and ML classifier strongly indicate maliciousness. The embedded URLs likely lead to further malicious PDF downloads, aiming to trick users into believing they are accessing legitimate educational materials.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mindfuldemocracy.org/uploads/1/3/0/4/130478935/jugasof_lajubeviti_sejariwegugun.pdf
    • http://pokigewij.thepeacerailway.org/uploads/2020/01/28/649850.pdf
    • http://njprint-wear.com/uploads/1/3/0/7/130739381/sidabamafubiteme.pdf
    • http://mortedomar.com/uploads/1/3/0/7/130740490/64132.pdf
    • http://treehousebellaire.org/uploads/1/3/0/3/130313333/wugoguzig.pdf
    • http://vigekofug.78-taxi.ru/uploads/2020/01/28/1749993.pdf
    • http://audio4n6.com/uploads/1/3/0/3/130313307/ravewajebivijajuvuf.pdf
    • http://jeepish.net/uploads/1/3/0/4/130478602/zizogerodap.pdf
    • http://ketoexpofest.com/uploads/1/3/0/5/130588605/1284113.pdf
    • http://mfv-alpin.weebly.com/uploads/1/3/0/6/130620826/zakolowine.pdf
    • http://ginositalianbakery.com/uploads/1/3/0/4/130476672/febiriwoz.pdf
    • http://nupelicanparty.org/uploads/1/3/0/8/130874329/130874329.html#english+grammar+through+tamil+pdf+download
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001319.bin
69830172a58e5334ac4460df9d32a26e38debbdcc6bfba42c95e1938290d961d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1319 8728 bytes
font_01_sfnt_off0000634e.bin
7177dac2369ecd3d820422db2ceccffe0efe8f09826c137fc8c41705495a7405		 pdf-font-stream PDF embedded font (sfnt) at offset 0x634E 12784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.