Malicious PDF — malware analysis report

Static analysis result for SHA-256 8273cadc4f47d68d…

MALICIOUS

PDF

42.5 KB Authoring application: Poppler-utils
MD5: 0df806834553d65fb32903376bfff222 SHA-1: b4293cd48eac9ecc7a51a7cacf9650972f50b862 SHA-256: 8273cadc4f47d68d92f988fb755175311f1b133e6bb110f46fbe3a73738abbd2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs pointing to external PDF files hosted on various domains. This behavior is indicative of a link farm designed to redirect users to potentially malicious content, as flagged by the PDF_SEO_LINK_FARM heuristic and ClamAV detection. The ML classifier also strongly indicated maliciousness. No scripts were extracted from this sample, but the extensive URL distribution suggests a phishing or malware delivery attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://modajewelry.shop/uploads/1/3/0/7/130740012/pomonusu.pdf
    • http://acadianaphoto.com/uploads/1/3/0/7/130775652/lupuzipitam.pdf
    • http://www.drawingsbroughttolife.com/uploads/1/3/0/6/130620902/mokanitobarilutato.pdf
    • http://cunningham-exonumia.com/uploads/1/3/0/3/130323520/9392439.pdf
    • http://dragonmtn.club/uploads/1/3/0/2/130272275/ecebbac1f825c.pdf
    • http://mx.ocalametaldetectingclub.com/uploads/1/3/0/9/130969659/wilaxe-benirigis.pdf
    • http://myzik-xit.site/uploads/1/3/0/3/130379087/foribipuvomulizeboma.pdf
    • http://declareservices.com/uploads/1/3/0/7/130740357/xibupewabef.pdf
    • http://mcdonaldbarneslaw.com/uploads/1/3/0/7/130738881/dojefabi-resepe-xanefez-firofejufunat.pdf
    • http://mizshift.com/uploads/1/3/0/7/130738625/finoxovan-maxogogezanure-nojatok-vesubamu.pdf
    • http://tophabitatimoveis.com/uploads/1/3/0/7/130740018/gubini.pdf
    • http://www.qcdoodles.com/uploads/1/3/0/2/130271159/6f8945c9.pdf
    • http://www.sallynailscamphill.com/uploads/1/3/0/6/130621298/2ce2b6c721.pdf
    • http://tonygallippi.com/uploads/1/3/0/6/130621483/3667657.pdf
    • http://www.thewendyhouseholidaylet.com/uploads/1/3/0/3/130379291/luwijufume-fimoj-bizaxobex-nizig.pdf
    • http://spacecreationdesign.com/uploads/1/3/0/6/130603917/130603917.html#how+to+solve+adding+and+subtracting+dissimilar+rational+algebraic+expressions

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003462.bin
d5d508731e205e2757b4dae24a5e242f7bc251b11caa13ae0b9f053a0dac8b51		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3462 16064 bytes
font_01_sfnt_off00004ba8.bin
9e6bb45e03c0c3ffc93e33e83c2821a6d9692660f35633bb044412c424539cbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4BA8 7684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.