Malicious PDF — malware analysis report

Static analysis result for SHA-256 70db837f7cc51da3…

MALICIOUS

PDF

35.0 KB Authoring application: Nitro PDF
MD5: b4b5a1c4c654c6769e1e6d982f2b7e76 SHA-1: af544c54ac02c91b4ba9eee86e90adbe8b975065 SHA-256: 70db837f7cc51da3d0f8e7aaa1644ec7ac8d6d4014ab5c1e2b07624bee5e70da
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass external link farm, directing users to download other PDF files from various domains. This behavior is indicative of a phishing or malware distribution scheme, likely attempting to trick users into downloading malicious content under the guise of conference information. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://vijoniritesowe.weebly.com/uploads/1/3/0/5/130540280/78a61d3f6392a2.pdf
    • http://tapthesky.org/uploads/1/3/0/4/130483592/8065778.pdf
    • http://kikcrafts.com/uploads/1/3/0/3/130313006/d8d026.pdf
    • http://westtechmobile.ca/uploads/1/3/0/2/130291355/rufixijolugo-nutokavukomive-katuzil.pdf
    • http://cashcache.net/uploads/1/3/0/2/130287426/zuselibinebuwajef.pdf
    • http://naw.hotelbrisasdeguatape.com/uploads/2020/01/27/vufimadejo.pdf
    • http://lore.7x4.ru/uploads/2020/01/28/notig-bopirobosor.pdf
    • http://modestotowingservice.com/uploads/1/3/0/5/130539846/65b48bacce0f311.pdf
    • http://dsmodes.com/uploads/2020/01/28/rutetawapemakok.pdf
    • http://bernardobellostudio.com/uploads/1/3/0/5/130551505/130551505.html#european+stroke+organisation+conference+2021

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000121a.bin
939227da6749caf06c1daf0fe26439f839d525a2fa6a04245c9b952912324b9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x121A 8092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.