Malicious PDF — malware analysis report

Static analysis result for SHA-256 813440dd142e0cdb…

MALICIOUS

PDF

103.0 KB Authoring application: ImageMagick
MD5: 21acdd1555c99ed9ca6615bb5e410054 SHA-1: 5e86f89ff9a054177f1475cd3abaa69085c86015 SHA-256: 813440dd142e0cdb4a7bc1db8b62286508d1adfa1d038b69e745d090a4e766c5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious phishing content. The PDF_SEO_LINK_FARM heuristic identified a mass of external links, with the first being http://redneckfest.org/uploads/1/3/0/3/130323462/gupogomezakuki.pdf. This indicates the document's primary purpose is to lure users to external sites, likely for credential harvesting or further malware delivery. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://redneckfest.org/uploads/1/3/0/3/130323462/gupogomezakuki.pdf
    • http://improbable-studios.com/uploads/1/3/0/7/130776421/8570137.pdf
    • http://mta-sts.mail.brickalleybistro.com/uploads/1/3/0/6/130639776/b2ab6f75.pdf
    • http://spectrumart.org/uploads/1/3/0/8/130814088/xipefumexawafux-kalanixamubuwe-xejuwibata.pdf
    • http://www.alanruuska.com/uploads/1/3/0/6/130621857/8411292.pdf
    • http://ketoqr.com/uploads/1/3/0/7/130739474/gaziwineza.pdf
    • http://runforestrunclub.com/uploads/1/3/0/5/130588498/7176c1925.pdf
    • http://talesoftwotravelers.com/uploads/1/3/0/2/130287972/da9eacff7dc6853.pdf
    • http://quantumlevelsoulhealing.com/uploads/1/3/0/6/130604699/munoru.pdf
    • http://fashionblitz.org/uploads/1/3/0/3/130323384/ecd8ed74a7f8b.pdf
    • http://moretonislandfishingcharters.com/uploads/1/3/0/2/130272512/garularijesot-koloxepu.pdf
    • http://louisachawhan.com/uploads/1/3/0/6/130603906/255736.pdf
    • http://bjarkalundur.is/uploads/1/3/0/7/130775088/10e69d.pdf
    • http://wholelifemoment.com/uploads/1/3/0/5/130588880/jozosumew.pdf
    • http://plancul-reims.net/uploads/1/3/0/5/130590310/vadiwodun_goxanuboj.pdf
    • http://cfamemorymaster.com/uploads/1/3/0/4/130483492/e939047af0.pdf
    • http://bobdunphy.com/uploads/1/3/0/5/130539660/9d187d7b9cde.pdf
    • http://rncheadquarters.com/uploads/1/3/0/3/130323672/d739d8.pdf
    • http://wcd-khbyu3nv.mgh-r.ch/uploads/1/3/0/6/130639486/130639486.html#multilingual+definition+world+geography

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001210.bin
e505d261cc59e2492e898be021d2663f15b13aa425e80d818514f587fbef0006		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1210 11156 bytes
font_01_sfnt_off0000a6d0.bin
d4bb9b13501e6a5a325ff03f996dbdb07ca6c1030475d2a56e2a5af2328f5e87		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA6D0 2632 bytes
font_02_sfnt_off00014de1.bin
013e3153b51f18e9f40b8f1eb4dfff032467c13f351f5ab1697eae43d2e2b2b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14DE1 16608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.