Malicious PDF — malware analysis report

Static analysis result for SHA-256 7bd9fad209373560…

MALICIOUS

PDF

51.0 KB Authoring application: PDFedit
MD5: 19c935320e30a315ab6812e0958322e8 SHA-1: 5a53dfb70a44a79b2e01bd467e034add3be3e657 SHA-256: 7bd9fad209373560559ce4cf14953cab941a1bdfc7e30c2458d2d21bd8a71800
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple heuristics, including a critical finding for a link farm containing numerous external PDF URLs. The ML classifier also strongly indicated maliciousness. The embedded URLs suggest a phishing or malware distribution attempt, likely leveraging the 'Spearphishing Attachment' technique. No scripts were extracted, but the presence of many external links points to a traffic redirection or download scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://notestotheunderground.com/uploads/1/3/0/7/130739635/4464364.pdf
    • http://fuxelovo.worldtraveltrip.com/uploads/2020/01/29/6356727.pdf
    • http://skylighthk.com/uploads/1/3/0/3/130313194/9087190.pdf
    • http://neurodesignlab.com/uploads/1/3/0/2/130289340/8936992.pdf
    • http://glider.store/uploads/1/3/0/2/130289021/0f56ea7700c151.pdf
    • http://bentcopper.com/uploads/1/3/0/5/130543466/jobimumin-fafewibo-nitas.pdf
    • http://carriehohmann.com/uploads/1/3/0/5/130590140/kigakif_vevalojefeganag_nakap_puliwowewodij.pdf
    • http://michaelshusko.com/uploads/1/3/0/2/130288307/130288307.html#biuret+reagent+recipe
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012e4.bin
a811a868e51fddde69ce70d51b25449985f981dd71420c9bea8053d28e74fabb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E4 8848 bytes
font_01_sfnt_off00008d5b.bin
171f8a79f44c817cfb5de1f8154ee08a86d70c6dbb15210f7216abbc77b54c6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D5B 2732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.