Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e758a5408647737…

MALICIOUS

PDF

44.5 KB Authoring application: Serif PagePlus
MD5: c198ffdfbd4a135813209eb6a8ccf381 SHA-1: e45ea18e18b0bd819012582159b32ac89b6e9ca0 SHA-256: 6e758a5408647737c3e733b7265d05bd8d3ddf154445034e2d5b8cf958d47fed
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to numerous PDF files hosted on various domains, suggesting a link farm or a distribution mechanism for further malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://finchleather.uk/uploads/1/3/0/5/130543133/3b3e7e0cb6b5a24.pdf
    • http://rowanlestat.com/uploads/1/3/0/5/130590059/lakutono_lopufudopetu_sonag_fekilajiba.pdf
    • http://huffmanshomestead.com/uploads/1/3/0/3/130313150/nipogojot_nujidowupo_negobin.pdf
    • http://mnsportslocker.com/uploads/1/3/0/7/130775130/werubin.pdf
    • http://mysweettopia.info/uploads/1/3/0/4/130435638/sesoku_roruzaxipon_funexonomozu_vegosilugixak.pdf
    • http://calvinlessel.com/uploads/1/3/0/4/130476014/8024408d12c99a3.pdf
    • http://help4helpless.org/uploads/1/3/0/7/130738771/vupata.pdf
    • http://direccionsolex.net/uploads/1/3/0/6/130620626/50d53.pdf
    • http://miandhepiano.com/uploads/1/3/0/3/130324005/90e5239b7.pdf
    • http://basecamp-branding.com/uploads/1/3/0/6/130604373/33395cfd489c0.pdf
    • http://wisdomfarm.net/uploads/1/3/0/7/130775491/fegixonoxobiwifilo.pdf
    • http://nancerealtyservices.com/uploads/1/3/0/5/130546283/7de1cf7dce8204.pdf
    • http://iamthesystem.net/uploads/1/3/0/5/130539101/1861318.pdf
    • http://stoit-kak-kamen.host/uploads/1/3/0/6/130621765/ranelelujedon.pdf
    • http://npep.com/uploads/1/3/0/5/130589108/xupunugujuruti_samerimaz_denefaniku_tamerozowuk.pdf
    • http://gtarealestate.forsale/uploads/1/3/0/6/130639445/tejawefetitulobo.pdf
    • http://host133.carmichaelnl.com/uploads/1/3/0/3/130379377/130379377.html#sap+s4+hana+migration+options
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030f3.bin
915baeb1e29b1296448dc25187851e9706b77add1d29a836586dd6d4826066cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30F3 2600 bytes
font_01_sfnt_off00003984.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3984 16204 bytes
font_02_sfnt_off00005162.bin
5d97f0d26f79913c2eb6a5e9b2bb3a944d5b8410dd2bd211a64ad24adf5feb37		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5162 8052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.