Malicious PDF — malware analysis report

Static analysis result for SHA-256 6af13c3b89c3dccc…

MALICIOUS

PDF

50.2 KB Authoring application: Serif PagePlus
MD5: ae0fb8957b5f0b74dc9eef1af607eb9f SHA-1: 925fe3e65062f16cc4d7ff949f681ee2bda59280 SHA-256: 6af13c3b89c3dcccf58319db0a4aa02cf70195529e4f23bb00e9014a076c0ee5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the ClamAV detection and ML classifier. The document body text, while containing garbled content, mentions 'Present perfect simple i continuous exercises pdf', which appears to be a lure to disguise the malicious nature of the links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tuliptreatments.com/uploads/1/3/0/4/130489742/c9243de9299527.pdf
    • http://nodipleague.weebly.com/uploads/1/3/0/2/130287890/bcb272dd6764fa.pdf
    • http://delgiacconeuroarttherapy.com/uploads/1/3/0/6/130604452/jupojetofiw.pdf
    • http://navasotaminerals.com/uploads/1/3/0/5/130539009/5856364.pdf
    • http://crapradio.net/uploads/1/3/0/5/130588213/dabixikosuj.pdf
    • http://seattleyouthbasketballfoundation.com/uploads/1/3/0/4/130488631/5533781.pdf
    • http://gwbmusic.com/uploads/1/3/0/5/130540193/81fac1ec7e4f.pdf
    • http://coyraid67.com/uploads/1/3/0/2/130289765/fuwodufop.pdf
    • http://thehallofframe.com/uploads/1/3/0/5/130588221/4126962.pdf
    • http://israel-civilian-k9-unit.org/uploads/1/3/0/4/130483678/7dba1bd50.pdf
    • http://poporowopa.remont-turbin-orenburg.ru/uploads/2020/01/28/1948189.pdf
    • http://leachfamilyfarms.weebly.com/uploads/1/3/0/5/130589191/807305.pdf
    • http://vikabibikova.ru/uploads/2020/01/28/bovazadexedex_gebutazivusalaf_kowarufo_sakak.pdf
    • http://lichteinsurance.com/uploads/1/3/0/6/130604595/c8f024fd1373.pdf
    • http://mrswatsonsroom.com/uploads/1/3/0/5/130590059/4529770.pdf
    • http://deannalindstrom.com/uploads/1/3/0/6/130639231/4611022.pdf
    • http://linwoodpto.com/uploads/1/3/0/3/130323422/paxolawekutujew-namopogi-wixakamuvi.pdf
    • http://nobuhotelmarbella.devsite-1.com/uploads/1/3/0/5/130588230/130588230.html#present+perfect+simple+i+continuous+exercises+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001527.bin
0552f90ecfbec61e9088a3e50b012f525713c4321a5e1af976088576d6ea6e1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1527 7960 bytes
font_01_sfnt_off0000746a.bin
0f23141ba94d37b49c53016ac63a9b008a6ac8e4c4656a8d80e6725f77750189		 pdf-font-stream PDF embedded font (sfnt) at offset 0x746A 16140 bytes
font_02_sfnt_off00008915.bin
83d89f79375f7f339e88070a8779324ce221c94923bff415e388e162fbc46cfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8915 2604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.