Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f6eb10be3a59423…

MALICIOUS

PDF

41.0 KB Authoring application: Serif PagePlus
MD5: e41cf4597bfcb62cf1fffac82bce1324 SHA-1: 9904b04643032d4290e94a8f3296077722fc07fd SHA-256: 7f6eb10be3a594233d16f3e273728b5130bac44c3258e11c6d56da0c274ccbc5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files across various domains, a technique often used for SEO spam or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware delivery. The document body's content is largely garbled but contains references to 'mobile legends' and 'chess masters', which may be part of a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sadetemab.zavod-tseh.ru/uploads/2020/01/28/luruvukuzoxakut.pdf
    • http://lebatik.ru/uploads/2020/01/28/fefudoxapuxivigozuj.pdf
    • http://oprzarab.xyz/uploads/2020/01/28/puwasebavaruzapidas.pdf
    • http://arizonashelfcorporations.com/uploads/1/3/0/2/130289002/nuzonetotasofux.pdf
    • http://1007dewdney.com/uploads/1/3/0/5/130550956/5127946.pdf
    • http://wawujato.tvpays.online/uploads/2020/01/27/f61150872d4607.pdf
    • https://sogiwapalavona.weebly.com/uploads/1/3/0/5/130590205/5784967.pdf
    • http://zukulosod.socfund.org/uploads/2020/01/28/logakijafu.pdf
    • http://obediencejourney.com/uploads/1/3/0/5/130550881/kawerisek.pdf
    • https://tadixuvoluta.weebly.com/uploads/1/3/0/4/130476410/d63bfb6aa0f8e3.pdf
    • http://for.fuse0000.online/uploads/2020/01/28/mudiwigugex_wikitubabafolek.pdf
    • https://nazojikoto.weebly.com/uploads/1/3/0/5/130551714/wewunelidika.pdf
    • http://bitpixerssupport.com/uploads/1/3/0/5/130539095/54afd3.pdf
    • http://victormorrowshow.com/uploads/1/3/0/5/130550951/mifesepob.pdf
    • http://margaretmidwood.com/uploads/1/3/0/3/130379204/2128430.pdf
    • http://specodezhka.ru/uploads/2020/01/28/tezitidojo.pdf
    • http://fofo.vikabibikova.ru/uploads/2020/01/28/vagaj.pdf
    • http://mznaturallypatriciallc.com/uploads/1/3/0/6/130604599/xanof_suzawamowam_rivadosomowelot.pdf
    • http://realestatepract.com/uploads/1/3/0/5/130588902/torogugerevipu_tebede_dezureje_kijitegaj.pdf
    • http://arielledcontreras.com/uploads/1/3/0/6/130621006/c111f4e6b25ab8.pdf
    • https://vumumijejaki.weebly.com/uploads/1/3/0/5/130538818/fba5ff0639932.pdf
    • http://rebeccalaplacaattia.com/uploads/1/3/0/6/130639569/130639569.html#auto+chess+mobile+legends
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000163c.bin
79bb71f540f116ae631a6a16e4eb3368c3e16e2d38e81a77d5d9ceb1663c7c4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x163C 8500 bytes
font_01_sfnt_off0000533a.bin
f1ab6171db39e8f838f6bb2c2f354859165936690ca0167211ffe8964cb6b5c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x533A 19552 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.