Malicious PDF — malware analysis report

Static analysis result for SHA-256 747d9f47c0f6c990…

MALICIOUS

PDF

45.5 KB Authoring application: PDF Studio
MD5: f4619531f919cac09bdbe3796adbcdaa SHA-1: c109c8a72d48deee328a02c6d2df6dacbbda187e SHA-256: 747d9f47c0f6c9902ad2ffbf073b537f45391b68e163a616f0f509ce2d7dd4ad
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection to malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent. While no scripts were explicitly extracted, the nature of the PDF and the numerous external links point towards a phishing or malicious content delivery mechanism, likely initiated via spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tvpays.ru/uploads/2020/01/28/fb50133f4827.pdf
    • http://northweststeamart-uk.com/uploads/1/3/0/6/130620472/bozakuk-giwixubu-webidoruraw-tupewepaxem.pdf
    • http://campmonty.org/uploads/1/3/0/6/130604962/bawemi_jidebav_xawamugamiweze_tojixavozabixax.pdf
    • http://paraglidinginkorea.com/uploads/1/3/0/4/130436172/8532678.pdf
    • http://myfujingarts.com/uploads/1/3/0/6/130639679/7fda3640eae7e9.pdf
    • http://zos.posox.ru/uploads/2020/01/27/tedavudomiz.pdf
    • http://sammiecakesbakesale.com/uploads/1/3/0/3/130312929/gawapuwusapafera.pdf
    • http://afhe.org.au/uploads/1/3/0/4/130436389/ab7cc.pdf
    • https://wapuwokev.weebly.com/uploads/1/3/0/3/130379818/9440629.pdf
    • http://repast-catering.com/uploads/1/3/0/3/130323319/35506.pdf
    • https://kitasomoma.weebly.com/uploads/1/3/0/5/130541552/mosiralatanopudu.pdf
    • http://cscle.com/uploads/1/3/0/6/130639530/vibeximiba-gixokabiresafe.pdf
    • http://gowitujin.saojose.online/uploads/2020/01/29/movilixujipofe-dugemurufav-zaxumadebibogu.pdf
    • http://cheriben-site.com/uploads/2020/01/29/wokezusiwi.pdf
    • http://consultoriaconsciente.com/uploads/1/3/0/4/130435781/giwavulatekipitob.pdf
    • http://murphcooper.com/uploads/1/3/0/4/130488542/130488542.html#format+python+vs+code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000146e.bin
6b023cf6ce7007831695b22107c283e68f0955faa3c2d367aa78c970f56f8b61		 pdf-font-stream PDF embedded font (sfnt) at offset 0x146E 8044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.