Malicious PDF — malware analysis report

Static analysis result for SHA-256 747b0371c0f94686…

MALICIOUS

PDF

55.4 KB Authoring application: GIMP
MD5: 9465aa0c206f4beb7be35e2e1d4295ab SHA-1: 7f6658c537efdedc59d5233908fb41a38d1be3b6 SHA-256: 747b0371c0f946867a220cbb28f1f7ea07efaf9c01be5974bb357a99f8f1a031
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, forming a link farm designed to direct users to download other PDF files. This behavior is consistent with a phishing or malware distribution campaign, as indicated by the ClamAV detection and ML classifier flagging. The document body itself is heavily obfuscated and contains many of the same URLs, suggesting an attempt to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rickformi.net/uploads/1/3/0/6/130620987/nizamidawusiteg_pozuwubiso_gaperejimililor.pdf
    • http://chitchatthisthat.com/uploads/1/3/0/6/130621776/ditutebe.pdf
    • http://windsongvilla.com/uploads/1/3/0/2/130271177/991631.pdf
    • http://instaglide.com/uploads/1/3/0/7/130740177/e24e5407a7c.pdf
    • http://lsboudoirlondon.co.uk/uploads/1/3/0/3/130379078/2940dde4b84f.pdf
    • http://newdreamrenovations.com/uploads/1/3/0/6/130621952/pebebero_lamijode_koledeguzobaraz_rozigeneruji.pdf
    • http://bravaycommunications.com/uploads/1/3/0/5/130590719/9496112.pdf
    • http://sossanantonio.com/uploads/1/3/0/2/130287839/sonoveduk_wilij_bijalexow_palujerivep.pdf
    • http://my-gama.com/uploads/1/3/0/7/130775680/galevum.pdf
    • http://nordicin.net/uploads/1/3/0/6/130621439/koxiritazudirobe.pdf
    • http://meetlia.store/uploads/1/3/0/8/130813409/48f1022df6f81c8.pdf
    • http://lip40.goteamonline.com/uploads/1/3/0/2/130289424/diles_lofirolaxanon.pdf
    • http://adammarkeckman.com/uploads/1/3/0/5/130590278/4cf9bba562189.pdf
    • http://myblueprintforchange.com/uploads/1/3/0/5/130541744/d2fc28a5.pdf
    • http://phonesex4cheap.com/uploads/1/3/0/2/130289554/wadida.pdf
    • http://theagerstenmissionarystory.com/uploads/1/3/0/7/130739558/4126000.pdf
    • http://gvk4nm.com/uploads/1/3/0/2/130273733/3b302f7ab0afc.pdf
    • http://host248.carmichaelnl.com/uploads/1/3/0/5/130590122/130590122.html#modelo+relacional+base+de+datos+que+es
    • http://fontawesome.iohttp://fontawesome.io/license/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001432.bin
49a8081704351923d0ddcada4635a824b4bc9c8a1145cdc770db6f59de122543		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1432 9348 bytes
font_01_sfnt_off00009794.bin
7d0e4f26927737c593ed7efda103a1107150fe3ac8ddbcafaf6ee6c0af50a0b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9794 1588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.