Malicious PDF — malware analysis report

Static analysis result for SHA-256 736c950816492336…

MALICIOUS

PDF

51.0 KB Authoring application: ImageMagick
MD5: 07e07fdc1ebfe71a7be7441fec3a8300 SHA-1: b080a57ac5e212f0d17ddad0c7505fd861cc44d3 SHA-256: 736c9508164923365dce14c2389ac99b215a0c5ba3409572dbe0f98b31e6e24e
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a mass link farm pointing to numerous other PDF files, likely as part of a phishing or malware distribution campaign. The heuristic 'SE_CLIPBOARD_COMMAND_LURE' indicates the document attempts to trick the user into executing commands, suggesting a malicious intent to download and run further payloads. The presence of embedded URLs and the ClamAV detection further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sellsla.net/uploads/1/3/0/3/130379101/3114365.pdf
    • http://lewislandscapenc.com/uploads/1/3/0/2/130272462/tagodukolije_gorebe.pdf
    • http://mykwalk.com/uploads/1/3/0/7/130740017/2457704.pdf
    • http://denzels.com/uploads/1/3/0/7/130739129/2e71509c4f.pdf
    • http://campaignwp.com/uploads/1/3/0/6/130639404/bitud_tujom.pdf
    • http://assistancedogassociation.com/uploads/1/3/0/4/130476122/bokulebojixo.pdf
    • http://dorabot.net/uploads/1/3/0/3/130379178/vatewolokawipuxip.pdf
    • http://jamesmcleodvo.com/uploads/1/3/0/3/130313836/rurozokezisezone.pdf
    • http://emmeline-kellett.com/uploads/1/3/0/2/130289395/7234374.pdf
    • http://kissire.net/uploads/1/3/0/5/130589313/465497.pdf
    • http://konjstudio.net/uploads/1/3/0/6/130604931/faa63da4883.pdf
    • http://charleschien.com/uploads/1/3/0/7/130739924/c7df66.pdf
    • http://katiejoymcmillan.com/uploads/1/3/0/9/130969568/a68682e190584.pdf
    • http://caraboo.co/uploads/1/3/0/5/130588654/dulesujukason.pdf
    • http://nationalassetretrievalservices.com/uploads/1/3/0/6/130621873/30cd480.pdf
    • http://everythingturned.com/uploads/1/3/0/9/130968988/130968988.html#adobe+acrobat+pro+dc+check+license
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000392c.bin
fd22af53f2844f775e2788e663f76d51cbd1f673c8a6c692d2e507cbfd993ddd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x392C 6544 bytes
font_01_sfnt_off00004db1.bin
d8fa1d180e0a505d0c2b16a5f695b88c8b58e4db502161fc5572c07a7daa196e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DB1 16488 bytes
font_02_sfnt_off000067c3.bin
a6bbfc74d8e83f3e01974ade818ae08fe4b1d56f530be50a60b10b8fbf24bd77		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67C3 10384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.