Malicious PDF — malware analysis report

Static analysis result for SHA-256 74605235fdd158c3…

MALICIOUS

PDF

39.4 KB Authoring application: GIMP
MD5: 4f491dcd488b862a6903a430d8e63bab SHA-1: 9ec2835c6762764113a1ea89d3db01411b551321 SHA-256: 74605235fdd158c3ec90c94c39d497adb8cbae4ea533d9bf8fb62d1f397e6fc3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://richmondandflood.com/uploads/1/3/0/6/130622089/vipipovuzavaxivo.pdf
    • http://www.jonascain.net/uploads/1/3/0/2/130289205/kekezubemuzi.pdf
    • http://cashhousesdfw.com/uploads/1/3/0/6/130621646/9717817.pdf
    • http://nereoww.com/uploads/1/3/0/8/130813738/xigupazeluzaxi.pdf
    • http://californiacastaway.com/uploads/1/3/0/6/130604263/bovetulozid_todafikiges_lesug_lomidani.pdf
    • http://dcchosa.com/uploads/1/3/0/5/130589454/8a9d7700.pdf
    • http://techarcana.us/uploads/1/3/0/4/130488429/8047556.pdf
    • http://baelts.com/uploads/1/3/0/4/130436367/7896580.pdf
    • http://lightonmyfeet.com/uploads/1/3/0/5/130546977/1255837.pdf
    • http://beautyenpointe.com/uploads/1/3/0/4/130492127/6217070.pdf
    • http://easyauctionshipping.com/uploads/1/3/0/6/130604521/bawunovon_mipumoteju.pdf
    • http://christianawt.com/uploads/1/3/0/3/130324126/lepofimebofogad-lafuv-garevorav-xagidimed.pdf
    • http://historicreplicawindows.com/uploads/1/3/0/5/130589077/2751528.pdf
    • http://host225.carmichaelnl.com/uploads/1/3/0/8/130873951/130873951.html#simple+past+exercises+pdf+worksheet
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000021d7.bin
9c441396c78fcec381b139909df8eae4e3e4b3b77c9f9e3b7c3f2073b33ed4b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21D7 2616 bytes
font_01_sfnt_off00002a6e.bin
40a403f8312ff9c93041e514e965a4d57d797ba541f1da729710ef172887bfc2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A6E 16060 bytes
font_02_sfnt_off00004187.bin
a2404ce973754b1b1afa3c59710acb7e4179d439dba4a0a36144824b7f137997		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4187 7524 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.