Malicious PDF — malware analysis report

Static analysis result for SHA-256 822c125bba6f10f3…

MALICIOUS

PDF

48.4 KB Authoring application: ImageMagick
MD5: 88f29de1c47f93c08d081ae0b6f6ac02 SHA-1: 35564b4ea1a31d5ba39c56aa02eb218c8d9f5493 SHA-256: 822c125bba6f10f32fc267e3452b88046f960e95d69763cbcf9e0e57800b1395
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, exhibiting a critical heuristic for a large number of external PDF links. The embedded URLs suggest a link farm or redirection scheme, likely intended to lead users to malicious content or phishing sites. No scripts were extracted, but the PDF structure itself facilitates the attack by hosting numerous external links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pesurezaf.vipiski-besplatno30.icu/uploads/2020/01/28/cfd4bb0.pdf
    • http://aenderungschneiderei-musovic.com/uploads/1/3/0/5/130544318/xizuxe.pdf
    • http://paperlotus.com/uploads/1/3/0/2/130288798/rebel-zafirodujezewil-zuvuf-tekabijidixu.pdf
    • http://thenationaldeclaration.com/uploads/1/3/0/5/130588763/basaxo_zakeraxoxugipi_lofironukegives.pdf
    • http://nyjincho.com/uploads/1/3/0/6/130622061/7554629.pdf
    • http://alixxpartners.com/uploads/1/3/0/5/130588443/tiwoliwajelujozeb.pdf
    • http://pharrfamilychiropractic.com/uploads/1/3/0/5/130588415/jogogudo-nizubiwawobeta-worupepaxo.pdf
    • http://agnosticmarketing.com/uploads/1/3/0/5/130542912/7cee48b5b8.pdf
    • http://rossconcretemasonry.com/uploads/1/3/0/5/130538950/mixoginof.pdf
    • http://oilbalance.com/uploads/1/3/0/3/130313082/dokife_virerupetapar_wifudoj_wewugumomulu.pdf
    • http://tatjanamichel.com/uploads/1/3/0/4/130476192/rapuvexo-xekawavave-juxizi-buvulipevagitez.pdf
    • http://mig-computer.org/uploads/1/3/0/6/130604804/130604804.html#yamaha+rs+202
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off00006bdd.bin
1c7aabf1808250d35af82a0eac5fa7440499d576d25f426b4763b5a2e8269531		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x6BDD 20540 bytes
font_00_sfnt_off00001396.bin
e3bfad0353c63de8df73f51622aa36e44e6c8a418ed77edb9579d82655663cb5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1396 8568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.