Malicious PDF — malware analysis report

Static analysis result for SHA-256 75e4c37c620c7a36…

MALICIOUS

PDF

43.1 KB Authoring application: Nitro PDF
MD5: 53348d540e604017bc3e291146fe6e3d SHA-1: d03aebf14c38f17f6e84f1e6f5e19c0a2d35dbbd SHA-256: 75e4c37c620c7a36b16e3d2f62bc5a3d99dcecf5ec9360087375736b7102516d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs, forming a link farm, which is a common technique for distributing malware or phishing content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. The embedded URLs are the primary indicators of compromise, suggesting the document's purpose is to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://maltaglasscreations.com/uploads/1/3/0/6/130622083/b1f5b.pdf
    • http://winoaaiw.weebly.com/uploads/1/3/0/5/130588213/8769647.pdf
    • http://postfallsoasis.com/uploads/1/3/0/5/130589033/lukot.pdf
    • http://northbaygarageservice.com/uploads/1/3/0/6/130621648/654460.pdf
    • http://intrenet.pro/uploads/2020/01/29/194494d974.pdf
    • http://mscbmx.com/uploads/1/3/0/4/130489052/koxif_gokisebuduviz_tekolakesugoto.pdf
    • http://adentaperu.com/uploads/1/3/0/5/130588457/liduletutajunu.pdf
    • http://perutresdias.org/uploads/1/3/0/3/130379398/pulixorifo.pdf
    • http://allans-automobiles.co.nz/uploads/1/3/0/6/130604117/kunuxugosanumipo.pdf
    • http://kerstinheinemann.com/uploads/1/3/0/4/130483200/3622760.pdf
    • http://eclectic-kids.com/uploads/1/3/0/6/130639344/9d96a27dd.pdf
    • http://arcadiagardensllclandscapinganddesign.com/uploads/1/3/0/4/130489072/130489072.html#adaraya+agamaki+song+video++hiru+tv
    • http://sinhala.sourceforge.net/
    • http://sinhala.cvs.sourceforge.net/viewvc/*checkout*/sinhala/sinhala/fonts/CREDITS
    • http://www.gnu.org/licenses/gpl-2.0.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012a8.bin
87bb7c3df6cfe19cde8b69d811a8b58919578030df6b36455163b1fb8a040619		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A8 8620 bytes
font_01_sfnt_off000058eb.bin
b63478ca9fb9d883914a502870e486a1804226e55361a2f6991e9f5fabc13a72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x58EB 11024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.