Malicious PDF — malware analysis report

Static analysis result for SHA-256 73f38f9ec4b951ac…

MALICIOUS

PDF

130.1 KB Authoring application: Soda PDF
MD5: fb2ec705329ca926508e2ee90d96718a SHA-1: 7fd33fe7ef57efb0cefba1850dac48e6d427da56 SHA-256: 73f38f9ec4b951ac5206b6dcfbf81de40e7ca7c15c53df9741de0dc0097c6e4b
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, identified as a link farm, and is flagged by ML classifiers and ClamAV as malicious. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly suggests the document's purpose is to trick users into a financial scam by promising prizes or funds requiring delivery. The embedded URLs likely lead to further stages of the attack or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kommmituns.com/uploads/2020/01/28/medukovo_negivine_teladopoter.pdf
    • http://mineralintelligencecapital.com/uploads/1/3/0/4/130488831/2e7905467.pdf
    • https://namasazamugex.weebly.com/uploads/1/3/0/6/130605124/761fbffe.pdf
    • http://artemdeev.pro/uploads/1/3/0/2/130274256/c6e68.pdf
    • http://tevodan.darcis-ko.fun/uploads/2020/01/28/gudawisoxusejoxevigu.pdf
    • http://bethanystafford.com/uploads/1/3/0/4/130488220/5f4c5dc8d584c61.pdf
    • http://midnightslimes.com/uploads/1/3/0/2/130272609/2471853.pdf
    • http://turnberrypress.com/uploads/1/3/0/4/130476317/fdedb386a08a09.pdf
    • http://jennnorthey.com/uploads/1/3/0/5/130550915/9241412.pdf
    • https://tilusabi.weebly.com/uploads/1/3/0/4/130494289/panotajamirabo.pdf
    • http://montanaterritorialalliance.org/uploads/1/3/0/4/130491599/4159a91c.pdf
    • http://civotusgroup.com/uploads/1/3/0/2/130271139/2357121.pdf
    • https://gevogiduxiwim.weebly.com/uploads/1/3/0/4/130435741/1024025.pdf
    • https://nosurabomoda.weebly.com/uploads/1/3/0/4/130483309/woledunes_bujubuvuxufo.pdf
    • http://tavonthames.com/uploads/1/3/0/6/130639511/7867843.pdf
    • https://perajizef.weebly.com/uploads/1/3/0/2/130288486/8206953.pdf
    • http://nmsapa.com/uploads/1/3/0/6/130620746/riwuworesiwowosifax.pdf
    • http://roxiduwiba.laama.ru/uploads/2020/01/27/dinezam-nawaf-tazum-putibopi.pdf
    • http://absystemsllcscam.com/uploads/1/3/0/4/130483239/130483239.html#sales+and+marketing+automation+platform

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001720.bin
366d8bfd2028b18c53c04e04e14889d8e5c56fc179359152d3795d4e56db3f08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1720 9368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.