Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e2e49684a0b7242…

MALICIOUS

PDF

37.9 KB Authoring application: Mobipocket Creator
MD5: 200b60268360b987e2c8491274d298c3 SHA-1: 7b77f162c3160a36f88b492ca74176e70abdcf2e SHA-256: 7e2e49684a0b7242a51cb85eb2d9fcde3f58a709065c12a934fc495fbea3cb11
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded links to external PDF files, identified as a 'PDF_SEO_LINK_FARM' heuristic. The document body, though partially corrupted, contains text related to locating an Android mobile, suggesting a lure. The ClamAV detection and ML classifier further indicate malicious intent, likely related to phishing or distributing further malware via the linked PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://inceptionsdesign.net/uploads/1/3/0/6/130620521/43d18fcdc27.pdf
    • http://letstalklutheran.com/uploads/1/3/0/5/130539244/7046686.pdf
    • http://musictheoryhelper.com/uploads/1/3/0/6/130620968/wapekef_kuxipiji_tilavevoliruj.pdf
    • http://nicolewilliamswrites.com/uploads/1/3/0/2/130288559/xasenorawebik.pdf
    • http://wezotuti.urlmac.com/uploads/2020/01/29/zidarosideturisob.pdf
    • http://orphancaresolutions.com/uploads/1/3/0/6/130605112/nugamidekotekir_tararez_komezadix_fikusu.pdf
    • http://mvmaxclinicadeginastica.com/uploads/1/3/0/6/130604725/xerekotesoduseli.pdf
    • http://minigoldendoodlesutah.com/uploads/1/3/0/6/130639531/130639531.html#localizar+mi+movil+android+gratis

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011e3.bin
eb96c43451c3eab4d7ef401a4cbcfb0fe0dba660b8a561366abee2b924f70167		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E3 8892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.