Malicious PDF — malware analysis report

Static analysis result for SHA-256 78a2fde5ad640be9…

MALICIOUS

PDF

55.1 KB Authoring application: pstoedit
MD5: 0ba096f4bd9191800d489e6fa65dfb4c SHA-1: 41b959b3fb63bd09f4463911a30812ffb4a46eb2 SHA-256: 78a2fde5ad640be9130061501fefca62becc707ee7a8b0542c6f74d27b78dbc1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this file as malicious, with ClamAV identifying it as Pdf.Phishing.TtraffRobotInstall-7605656-0. The embedded URLs likely lead to further malicious content or phishing sites, and the sheer volume suggests an attempt at SEO manipulation or mass distribution of harmful links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wakurejedajaw.weebly.com/uploads/1/3/0/5/130546294/darozuwalodojivugo.pdf
    • http://furajidema.espace-clientsv3-0range.com/uploads/2020/01/27/1ee2d.pdf
    • https://kipekuxawu.weebly.com/uploads/1/3/0/6/130604524/43b8212b54503.pdf
    • http://keyautonj.com/uploads/1/3/0/6/130620510/b0b96.pdf
    • https://xagaguruxuton.weebly.com/uploads/1/3/0/2/130289441/budowalafa.pdf
    • https://vaxoforegojus.weebly.com/uploads/1/3/0/3/130313194/7799003.pdf
    • http://gexolob.cityglush13.icu/uploads/2020/01/27/7660713.pdf
    • http://pornostorys.ru/uploads/2020/01/27/raraxutopubepeb.pdf
    • http://sosudamug.easy-studies.com/uploads/2020/01/27/009052b0.pdf
    • http://kokomotans.com/uploads/1/3/0/2/130288455/fasebebasexoguvo.pdf
    • http://bupo.opr0.icu/uploads/2020/01/27/6161442.pdf
    • http://dtbaikal.com/uploads/2020/01/27/wixakuzepatapogikov.pdf
    • https://famasaxizugo.weebly.com/uploads/1/3/0/5/130544001/6360096.pdf
    • http://lifefirstwebsite.com/uploads/1/3/0/2/130287988/54597f.pdf
    • http://tikuju.eglesmade.com/uploads/2020/01/28/vojigob.pdf
    • http://fresh21.ru/uploads/2020/01/27/4b043f4.pdf
    • http://keyproserv.com/uploads/1/3/0/3/130379596/14b372dc7.pdf
    • http://osbert11.com/uploads/2020/01/27/loniwapetadew_jivezowiwabejo.pdf
    • http://pajizanu.zaem-onlain.info/uploads/2020/01/28/vemekesoko-ratefa-wirixarum-rusav.pdf
    • https://femifatorab.weebly.com/uploads/1/3/0/3/130323425/8696215.pdf
    • http://tisafo.bayua.xyz/uploads/2020/01/27/f2d90c7ab4ca65.pdf
    • https://zuzavunolusopi.weebly.com/uploads/1/3/0/5/130544541/nojogeru.pdf
    • https://madazunodexobaw.weebly.com/uploads/1/3/0/4/130476313/1128131.pdf
    • http://kxxvii.com/uploads/1/3/0/3/130323126/0c608b0d635e229.pdf
    • http://leziduxipi.rajatmeena.com/uploads/2020/01/29/mifobib.pdf
    • http://ginekologjakiel.pl/uploads/1/3/0/6/130604326/130604326.html#agendas+para+imprimir+2020+gratis+pdf
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000018c0.bin
6f8d80dfa694f413d1ec9b980332cd82f515d843651f834e08df4735664e00f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18C0 8492 bytes
font_01_sfnt_off00006726.bin
1957428794578a072b8983e864e5701b52391162abfb2d6d14c6295fa8a16687		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6726 6444 bytes
font_02_sfnt_off00007671.bin
71309d75ffa13f257e666fd2a77d4a8afaf65e52c29a4efe354bd6fbe86e3bf8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7671 2952 bytes
font_03_sfnt_off000080c7.bin
16374c43fefb3fb406266acbe16aee7d7122405634c1b68ba02c6c95ae4378ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80C7 4196 bytes
font_04_sfnt_off00008d84.bin
57a2527df5b8372e71d6e597926817d190d1d9a2d0ccc58fa5f5ba82bac7eac3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D84 16480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.