Malicious PDF — malware analysis report

Static analysis result for SHA-256 77e1c8255848db28…

MALICIOUS

PDF

132.4 KB Authoring application: Serif PagePlus
MD5: 67b2df28d7bf837bbbb217d78f76422f SHA-1: 16dc157586c704ad85c9b0d7d1d46cf29e421572 SHA-256: 77e1c8255848db28e44c56a6f301f2a1d37cdcc11662797240b11cb5849a922f
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of external links to other PDF files, a technique often used in SEO poisoning or to distribute malicious content. The heuristic 'SE_ADVANCE_FEE_SCAM_LURE' strongly suggests the document's content is designed to trick users into believing they will receive a prize or benefit, requiring them to take further action, such as clicking the provided links. The embedded URLs are likely part of this lure, directing users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://met-wilderwood.com/uploads/1/3/0/8/130874614/jagufuro.pdf
    • http://wmtribal.com/uploads/1/3/0/3/130313340/2657e.pdf
    • http://amorahome.com/uploads/1/3/0/5/130589299/jowinewexalokirasi.pdf
    • http://m.thewitchsgarden.com/uploads/1/3/0/7/130775557/32872eef15.pdf
    • http://wilsoninteriordesign.com/uploads/1/3/0/5/130551805/gurimusuve_rizakejapa.pdf
    • http://amanda-mccall.com/uploads/1/3/0/7/130739483/4366678.pdf
    • http://commercialequipmentparts.com/uploads/1/3/0/4/130490643/gakegowa-gariduponugel-zovum.pdf
    • http://accleaningservices.net/uploads/1/3/0/6/130620519/zikupenifuki.pdf
    • http://xlifesciencefond.com/uploads/1/3/0/4/130483457/nujezu-ruvit-newavuwolobexed-gibudewivibus.pdf
    • http://wootagh.org/uploads/1/3/0/7/130740210/9236163.pdf
    • http://millteacher.com/uploads/1/3/0/4/130490078/vulizusoxuligiga.pdf
    • http://www.ejaznadeem.com/uploads/1/3/0/6/130621480/kenobafi-kiwal.pdf
    • http://dogdetailmovie.com/uploads/1/3/0/6/130603874/2778076.pdf
    • http://w3innov8.com/uploads/1/3/0/6/130620482/d79b8339863.pdf
    • http://storgebhs.com/uploads/1/3/0/7/130776617/7939234.pdf
    • http://millenialpages.com/uploads/1/3/0/4/130435520/b513047cd1efc.pdf
    • http://946.bpmtc.com/uploads/1/3/0/7/130738705/130738705.html#fifa+world+cup+2018+groups+draw
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000168b.bin
986bf8955b1c0860d06f2bf6669568db255d079895ececa225f7f86101eb88e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x168B 16984 bytes
font_01_sfnt_off0001d151.bin
7863b829de04ea8b7f5be4d5dae43fa62182e7611f0c3a300d10b316d27db496		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D151 2732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.