Malicious PDF — malware analysis report

Static analysis result for SHA-256 80d3a50cd0c8f893…

MALICIOUS

PDF

36.2 KB Authoring application: Scribus
MD5: 984de4a0cce020b07e2e67f5bfb53c21 SHA-1: 63c633589d41c52f7bc977b600ead4c9ac1d4a2b SHA-256: 80d3a50cd0c8f89321b0e4a697bd38f65254231979f4c55c7c0e1ba2897e875a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute malicious content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and a critical heuristic detected a 'PDF_SEO_LINK_FARM' with 22 external links. The ML classifier also strongly indicated maliciousness. The document body contains garbled text and a reference to a car part, which appears to be a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://razer.18xx.fun/uploads/2020/01/28/zunuwivovitegib.pdf
    • http://alanpliuart.com/uploads/1/3/0/5/130590511/5971629.pdf
    • http://mygoodlife.solutions/uploads/1/3/0/5/130551795/relopelem.pdf
    • http://lefetus.massrage.ru/uploads/2020/01/27/dewukumofukavefula.pdf
    • http://kef.markaajans.online/uploads/2020/01/28/menosanavuziduv_liluvemibunutud_nupokufolumev.pdf
    • http://xibulujij.vipiski-besplatno29.icu/uploads/2020/01/28/0918ff702.pdf
    • http://ceecentre.com/uploads/1/3/0/6/130620337/ridelenado.pdf
    • http://bdaddysgrill.net/uploads/1/3/0/5/130589237/5657165.pdf
    • http://conversionpix.com/uploads/1/3/0/4/130476034/demolokunarop.pdf
    • http://vomopig.stopgemorroj.ru/uploads/2020/01/28/siwotej.pdf
    • http://matthewschwartz.org/uploads/1/3/0/6/130621839/4368196.pdf
    • http://bsa-sccc-pack301.com/uploads/1/3/0/5/130590672/130590672.html#99+lexus+gs300+throttle+position+sensor

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012c3.bin
66185b1bb850129754bf8c2dba8adaa8131859274f905b4f8a2877a7e1c6976f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C3 8412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.