Malicious PDF — malware analysis report

Static analysis result for SHA-256 80b72f19d5b7ea2a…

MALICIOUS

PDF

60.7 KB Authoring application: QPDF
MD5: 4bb4fd554a3e5a72d87c6e11130bd432 SHA-1: 9b2e266fabf4cfc8a5bbf40561ee0ca84b443d2e SHA-256: 80b72f19d5b7ea2ac00f10b886db9b6a937945d8dfe06355b3f81f702dd617e3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF was flagged by multiple heuristics, including a critical finding for a large external link farm and a ClamAV detection for phishing. The embedded URLs likely lead to malicious content or phishing sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://marioscleaningservice.com/uploads/1/3/0/7/130740110/witatiwe_funal_maritufopolarow.pdf
    • http://www.boogiecamp.com/uploads/1/3/0/4/130488362/roveruxiroxubofilex.pdf
    • http://a7.denjac.com/uploads/1/3/0/7/130739945/vebomeguvi_venudu_jifitoromawo.pdf
    • http://mjjam.net/uploads/1/3/0/3/130313103/vevaxiboromoti.pdf
    • http://kyoto-japan-django.club/uploads/1/3/0/7/130739028/42baca1.pdf
    • http://www.rachelandedwedding.com/uploads/1/3/0/9/130969853/0eca139d45614fd.pdf
    • http://kungfu-silat.net/uploads/1/3/0/7/130775651/kewugo.pdf
    • http://geigerair.com/uploads/1/3/0/5/130550960/d8a194b04c83.pdf
    • http://nrgsupply.ie/uploads/1/3/0/2/130291373/komigesikit-zodofuxexu-vokagafafomu.pdf
    • http://eraji.net/uploads/1/3/0/2/130274345/wonibuxunu-zodulotamugi-tuwox.pdf
    • http://bluepointassetmanagement.com/uploads/1/3/0/8/130814078/dewawamokube.pdf
    • http://www.ksamconsulting.com/uploads/1/3/0/7/130776351/tivozizub-godanatif.pdf
    • http://secondaire1et2.net/uploads/1/3/0/4/130489926/kotiz.pdf
    • http://buyeveryinglobal.com/uploads/1/3/0/2/130288381/babasu_kanuwer.pdf
    • http://shemikamoore.com/uploads/1/3/0/6/130603989/56f77932ff127ba.pdf
    • http://jamiefehr.com/uploads/1/3/0/6/130640199/130640199.html#h%C6%B0%E1%BB%9Bng+d%E1%BA%ABn+chuy%E1%BB%83n+file+pdf+sang+word+2013
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000631d.bin
27aad4e7100ae85831cc1a9cf4859e84521ff6b1ee9ac199fa10e6c4d4b25dad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x631D 2736 bytes
font_01_sfnt_off00006e08.bin
944c796357a4ae6d7d210ced0f218a56d70dd4ea32916f01a89b67ac36eebc58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E08 24860 bytes
font_02_sfnt_off0000906b.bin
cb17844ec16c443efa24d9594fb73fffe2f69bbced93e28a46300ede460a504b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x906B 10812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.