Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ec3d85ce6e7ed96…

MALICIOUS

PDF

37.6 KB Authoring application: pdf-parser
MD5: def9e90fc964cc6b00ad9f28ea4fed5a SHA-1: 89a7b78d7b6aba6cca443e65dc957b9e66f82ebe SHA-256: 6ec3d85ce6e7ed961bce51e2c1ac0c973fbbe13edc408dd136b77069b1c79a2b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file contains a large number of embedded external links, a technique often used for SEO spam or to redirect users to malicious sites. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The embedded links likely serve as a lure to download further malicious content or to engage in phishing activities.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://philanimalrescue.org/uploads/1/3/0/4/130483656/xafenene.pdf
    • http://nomi-online.com/uploads/1/3/0/6/130621654/wisolupimobifi.pdf
    • http://sophrorelax.org/uploads/1/3/0/3/130313286/5449966.pdf
    • http://monarteonline.com/uploads/1/3/0/6/130640218/soravevidovubimiva.pdf
    • http://wugir.hair-extension.info/uploads/2020/01/28/7556039.pdf
    • http://kon.brazilplan.club/uploads/2020/01/29/rodojanokujowi-ripakuzu-gifisu-powagalakilexo.pdf
    • http://nationalarchivesphotographer.com/uploads/1/3/0/2/130289493/d64ba2d60f85e.pdf
    • http://wokal.voloklinik.com/uploads/2020/01/29/8ed344be5821.pdf
    • http://botmadison.online/uploads/2020/01/29/zefasunesile-suwewem.pdf
    • http://vib.paypal-support.bz/uploads/2020/01/28/5709156.pdf
    • http://talesofthetravelingnurse.com/uploads/1/3/0/6/130622029/ruwoparunurog-muzor.pdf
    • http://thejoyofdrink.com/uploads/1/3/0/4/130488701/rapamijimuloti.pdf
    • http://fapiwake.yandexmomentum.info/uploads/2020/01/28/vimavawazusutelox.pdf
    • https://womejaritidawo.weebly.com/uploads/1/3/0/4/130436018/matunoxik.pdf
    • http://wilofare.bookmeup.website/uploads/2020/01/27/gurupuwaketizoned.pdf
    • http://redlinexcavating.com/uploads/1/3/0/6/130639837/213408.pdf
    • http://nationalriskmanagementgroup.com/uploads/1/3/0/6/130639456/130639456.html#what+is+preeclampsia+in+pregnancy+caused+by

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001490.bin
bdb3f6d95c6224c8d8066e023593c1da7e5a42b67857d757a6fe10b0631d956f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1490 7648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.