Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e858ea17d81d156…

MALICIOUS

PDF

49.6 KB Authoring application: SWFTools
MD5: 91c5d0c1014524c455c524421b11cb23 SHA-1: 15a1541cad2abdf1cfc1a3f973483fefc2ccdd52 SHA-256: 6e858ea17d81d156c13fa96043d95b0ec4dd54206938e8216035b5e9c7d1d55f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. No scripts were extracted, but the sheer volume of external links suggests a content-luring or redirection mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bukvaprava-ie.ru/uploads/2020/01/28/bamamebabo-lekinerijike.pdf
    • https://pikimipev.weebly.com/uploads/1/3/0/6/130604333/664432.pdf
    • http://legacycreekgsmd.com/uploads/1/3/0/5/130588678/vumaganitewe.pdf
    • http://tefepo.nembutaldelivery.com/uploads/2020/01/28/f6c8af6.pdf
    • http://cocovonbonbon.com/uploads/1/3/0/3/130323822/jaduwoxidanisu_dalowixejipo.pdf
    • https://fimemevele.weebly.com/uploads/1/3/0/4/130490181/f5adf815410b90.pdf
    • http://xadav.interbc-online.com/uploads/2020/01/27/8242288.pdf
    • http://michalrutkowski.net/uploads/1/3/0/4/130476684/ragupomimapeb.pdf
    • http://northernlightshockeynj.com/uploads/1/3/0/6/130620627/lebetiduligisarab.pdf
    • http://dewomax.championscrapcars.com/uploads/2020/01/28/lagutuw_wifuxazomakepe.pdf
    • http://davewalcott.com/uploads/1/3/0/6/130620747/ca9b08.pdf
    • http://lacasadelcocodrilo.org/uploads/1/3/0/4/130483348/tejabimud.pdf
    • http://atlantadentalanesthesia.com/uploads/1/3/0/6/130640069/6617878.pdf
    • http://sportsfxn.com/uploads/1/3/0/4/130488810/f14da9973fed.pdf
    • http://bewellmindset.org/uploads/1/3/0/3/130323934/fadizafogufajut-gatigegalexebam-pozewudub.pdf
    • http://transparenttransformations.com/uploads/1/3/0/4/130435930/8161e70dd13e8.pdf
    • https://vudixoxim.weebly.com/uploads/1/3/0/5/130538841/c9df6ac57d117e2.pdf
    • http://navazomom.bsvwordwidetravel.com/uploads/2020/01/27/150321.pdf
    • http://mschangart.weebly.com/uploads/1/3/0/5/130540501/6494639.pdf
    • http://restavratsiya.com/uploads/2020/01/28/50173.pdf
    • http://jegiruw.darkempires.ca/uploads/2020/01/29/basam.pdf
    • http://advance-it.net/uploads/1/3/0/2/130274169/130274169.html#bal+gangadhar+tilak+books+in+telugu+pdf
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000166a.bin
346ee535c1f9b7a8a9b4607f77057c637dbb0c4be77bfd83e16446073d2236e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x166A 8052 bytes
font_01_sfnt_off00007817.bin
64f6173c8ee6a6199b1499047f15d47a0c5202784b5af267b9367ebc93aa0fcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7817 9016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.