Malicious PDF — malware analysis report

Static analysis result for SHA-256 712ad10bad10fcb8…

MALICIOUS

PDF

68.2 KB Authoring application: Serif PagePlus First seen: 2021-04-25
MD5: 68a10f617020daef0cecea0c620dcc98 SHA-1: 72aae91c3a611630a2d0d354243e6b9c591c9269 SHA-256: 712ad10bad10fcb8eb6aaf7b13a1e331620031aa95bff778a5582eaf6f6c3f5f
152 Risk Score

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://xixogobepagujub.weebly.com/uploads/1/3/0/5/130539393/tuwidopo.pdf In PDF document text
    • https://texujidokurad.weebly.com/uploads/1/3/0/2/130288453/bd38d.pdfIn PDF document text
    • https://lofisuwifubif.weebly.com/uploads/1/3/0/5/130550777/6387049.pdfIn PDF document text
    • http://artekcm.com/uploads/1/3/0/4/130436439/c14f6c95f26.pdfIn PDF document text
    • http://foz.vipiski-besplatno64.icu/uploads/2020/01/28/jenojemo.pdfIn PDF document text
    • http://loneezyvisionz.com/uploads/1/3/0/6/130640079/3282171.pdfIn PDF document text
    • http://bunut.topmanicure.ru/uploads/2020/01/27/votofix.pdfIn PDF document text
    • http://onlygodcanjudgeus.com/uploads/1/3/0/4/130476150/gorut.pdfIn PDF document text
    • http://bgflowermart.com/uploads/1/3/0/2/130291939/rirorokidi-vatugo-duberakot.pdfIn PDF document text
    • http://northmeats.com/uploads/1/3/0/5/130588783/duwok.pdfIn PDF document text
    • http://navajos.de/uploads/1/3/0/6/130639214/867073.pdfIn PDF document text
    • http://datow.finresult.com/uploads/2020/01/29/3e1526da57331.pdfIn PDF document text
    • http://bethlauzier.com/uploads/1/3/0/4/130488616/nibudo_volawejamo.pdfIn PDF document text
    • https://nebirowupiwowis.weebly.com/uploads/1/3/0/5/130588856/04c3d853c30.pdfIn PDF document text
    • https://zorurube.weebly.com/uploads/1/3/0/5/130545001/f50743b21c3.pdfIn PDF document text
    • http://restaurantbeaumonde.com/uploads/1/3/0/3/130323594/sumefaxatisoz.pdfIn PDF document text
    • http://vaxeduwif.speacetech.us/uploads/2020/01/29/5b74087.pdfIn PDF document text
    • http://sophsphotos.com/uploads/1/3/0/4/130489157/5299929.pdfIn PDF document text
    • http://myphonexpress.com/uploads/1/3/0/4/130483847/dipamidafipimewizew.pdfIn PDF document text
    • http://mrsdawson-classroom.com/uploads/1/3/0/2/130272573/130272573.html#foolproof+module+9+test+answers+quizletIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicenseIn PDF document text

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013a9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13A9 9620 bytes
SHA-256: 115b45a62a3c522c7b0bc09a5942ff366ca486d423cea4bb4f651cdd8441244b
font_01_sfnt_off0000bb64.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xBB64 16204 bytes
SHA-256: f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d
font_02_sfnt_off0000d03f.bin pdf-font-stream PDF embedded font (sfnt) at offset 0xD03F 2652 bytes
SHA-256: 1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838