Malicious PDF — malware analysis report

Static analysis result for SHA-256 7722e2970ea0b35e…

MALICIOUS

PDF

144.6 KB Authoring application: QPDF
MD5: 13a13f70ebe0f8ac628243351f79afbf SHA-1: 2418026872c89b26d48864b1bb578e9fd10fb5e7 SHA-256: 7722e2970ea0b35e8abd296a0c4dc48be6de4c11444ba2d489ee03e2b0c87263
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, as detected by the PDF_SEO_LINK_FARM heuristic. This strongly suggests a phishing or SEO spam campaign, where the goal is to redirect users to malicious websites. The ML classifier and ClamAV detection further support the malicious nature of this PDF. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9890

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mountainxllc.com/uploads/1/3/0/6/130639055/buvolefidemupatogenu.pdf
    • http://kidney4chris.com/uploads/1/3/0/7/130776535/9862622.pdf
    • http://thekookas.com/uploads/1/3/0/6/130639181/7051d.pdf
    • http://neckiesbymj.com/uploads/1/3/0/5/130540493/63fbc9d8cd7c2d4.pdf
    • http://nateberggren.com/uploads/1/3/0/8/130813448/33b6250183d.pdf
    • http://baguiosoundsrental.com/uploads/1/3/0/7/130739904/suvererut.pdf
    • http://backtopulse.com/uploads/1/3/0/7/130739120/gowudu_xoraxe_jiwubijupolixe.pdf
    • http://aqzsystems.net/uploads/1/3/0/5/130589402/0097aa77a259.pdf
    • http://calamosventures.com/uploads/1/3/0/7/130739368/8842619.pdf
    • http://fwyouth.com/uploads/1/3/0/6/130605165/6c4cb.pdf
    • http://newhavenbooksellers.com/uploads/1/3/0/6/130605167/5d6b7f2a7cf19.pdf
    • http://voxygen.de/uploads/1/3/0/5/130588451/muzetunukebewewikeda.pdf
    • http://nielsenrenovations.com/uploads/1/3/0/4/130483767/bea8bffb2623142.pdf
    • http://musette-ventures.org/uploads/1/3/0/6/130604077/kerarewu-fajolop.pdf
    • http://mail.nfcareers.com/uploads/1/3/0/7/130776760/992e127.pdf
    • http://mineralcapital.net/uploads/1/3/0/6/130604355/jodojuxul-dopifenekuridim.pdf
    • http://gazelleleadership.net/uploads/1/3/0/3/130379293/dawek_fejabawow.pdf
    • http://elizabethlangs.com/uploads/1/3/0/7/130740556/a0c2d9169512b1.pdf
    • http://phudicin.com/uploads/1/3/0/7/130775358/fajopokojoduxa.pdf
    • http://norwichmedievalmysteryplays.com/uploads/1/3/0/7/130775154/zazajasas.pdf
    • http://dinner-ateight.com/uploads/1/3/0/5/130545185/5817308.pdf
    • http://www.oneteammedia.com/uploads/1/3/0/7/130740003/130740003.html#english+name+to+chinese+word+translation

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off00009906.bin
fe8eff511eac405e5e44c1f20aefc6b8ef4f53d343922bdb37d35a5224898b68		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9906 111800 bytes
font_00_sfnt_off00007845.bin
9104df24e6071d41f7f4d07443fe5f290fff5fd0fe2eeb9de85d47948bcf087f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7845 16588 bytes
font_02_sfnt_off0001dbd3.bin
19a5ce598827a90626fa7961af64bcb42df4fa5c0d2bdf054e7e80090359b7e0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DBD3 10028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.