Malicious PDF — malware analysis report

Static analysis result for SHA-256 73276d042849f10a…

MALICIOUS

PDF

35.1 KB Authoring application: pstoedit
MD5: a706dd08c2931046d8359fe2d6048c96 SHA-1: 02cd023164a205284d3e797b2bd74012b0c715d8 SHA-256: 73276d042849f10a0a76d68926e1aa053f5d11e81ba2770fb6d290cad1d9c50d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external URLs, identified by the PDF_SEO_LINK_FARM heuristic, which is indicative of a link farm or a distribution point for malicious content. The ClamAV detection and ML classifier further support its malicious nature. While no scripts were explicitly extracted, the structure suggests it may leverage PDF's scripting capabilities to facilitate access to these external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://tazelojovizazad.weebly.com/uploads/1/3/0/4/130483741/babezadubifafikifos.pdf
    • http://gor.feierverkspb.ru/uploads/2020/01/27/ff65a1611cc5.pdf
    • http://wetu.dekocasa.com/uploads/2020/01/28/zidokeju_webini.pdf
    • http://muratop.sqlcvt.net/uploads/2020/01/27/d805383268d.pdf
    • http://cidalcyc.com/uploads/1/3/0/3/130379204/7076271.pdf
    • http://latangoterra.com/uploads/1/3/0/5/130547069/nexas.pdf
    • http://party.su/uploads/2020/01/27/vutaperalomo_bupig.pdf
    • http://most-wanted-ent.com/uploads/1/3/0/6/130620672/jaxuxuboxobezu.pdf
    • http://northwestuu.com/uploads/1/3/0/6/130639678/130639678.html#protect+workbook+vs+worksheet

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001172.bin
48ba448567d1ccbb0d35272a0c892269ba52702aff22fa2b05eee961ca6ac150		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1172 7836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.