Malicious PDF — malware analysis report

Static analysis result for SHA-256 8276a0da8fc855fc…

MALICIOUS

PDF

49.0 KB Authoring application: Solid Converter PDF
MD5: 90fc67bf666e7c165c608f85b8a7f255 SHA-1: e155296315970778ddf8a95a5ef1ba66bd24d713 SHA-256: 8276a0da8fc855fcc1196040713d1ae33bbb1211b995c91787436584188461eb
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection. The file contains a large number of embedded URLs pointing to external PDF files, suggesting a link farm or a distribution mechanism for further malicious content. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kpaonilne.com/uploads/1/3/0/4/130436154/531466.pdf
    • http://www.bcummings4.com/uploads/1/3/0/6/130621162/6663095.pdf
    • http://www.happinessprojectgroup.com/uploads/1/3/0/6/130639656/fc35a.pdf
    • http://www.holistically-healthy.co.uk/uploads/1/3/0/2/130291415/vixoko.pdf
    • http://didditt.net/uploads/1/3/0/5/130589313/risozinusoduxufodasu.pdf
    • http://boatinguae.net/uploads/1/3/0/2/130271063/givinep-kapowato-kogadetodewit-xabegeseb.pdf
    • http://presenceinthemoment.com/uploads/1/3/0/9/130969840/410232.pdf
    • http://edgelandscapeandmaintenance.com/uploads/1/3/0/7/130740465/5200506.pdf
    • http://stevensmondata.com/uploads/1/3/0/2/130289410/nofixos.pdf
    • http://sunfanglu.com/uploads/1/3/0/2/130272940/97de0a2.pdf
    • http://www.amsshutter.com.au/uploads/1/3/0/6/130605179/tujez.pdf
    • http://www.competetennismerchandise.co.uk/uploads/1/3/0/4/130476499/6594815.pdf
    • http://southforkfunds.com/uploads/1/3/0/3/130323959/vujemidirigufonavu.pdf
    • http://facedoctorshowick.co.nz/uploads/1/3/0/8/130874169/teredazejekodepi.pdf
    • http://carolinelsmith.com/uploads/1/3/0/4/130436337/pukusadole-xepiva-suzapupujog.pdf
    • http://caqrecords.com/uploads/1/3/0/3/130313307/kavujuzavivu.pdf
    • http://newarkfootdoctor.com/uploads/1/3/0/7/130775758/7f52e2bf6d7b109.pdf
    • http://mentorherbizmembership.com/uploads/1/3/0/5/130588780/811ccf151a772.pdf
    • http://resonancetapexperience.com/uploads/1/3/0/6/130620834/tusanuwanotereg_vufabaferinave_talusefurapu.pdf
    • http://withlovec.blog/uploads/1/3/0/3/130379222/fetiji.pdf
    • http://milnertools.com/uploads/1/3/0/2/130288864/tewofagadomisap_rotosur_podijitoxigogu.pdf
    • http://yaldocargo.com/uploads/1/3/0/5/130588276/8107291.pdf
    • http://stlplaytherapyinstitute.com/uploads/1/3/0/7/130740492/risirukavulap.pdf
    • http://fouremusic.com/uploads/1/3/0/8/130813851/neworo_petinudemegew_dijav_dexotasun.pdf
    • http://45t34.slpny.com/uploads/1/3/0/5/130588332/130588332.html#asymptotic+notation+in+data+structure+with+example+ppt
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003a4a.bin
c487c5b19b4afdd9ad3b9bc0dab531d85852a57c1479c9b6b9233a49939ee238		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3A4A 3320 bytes
font_01_sfnt_off00004487.bin
f72d16c697c6b8e398e14c4bbf2202d25a38f0c2c73f48dfd10869af466e4fdd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4487 16176 bytes
font_02_sfnt_off00005c55.bin
a8dc0d8751df9feb8c65fc19dbad6e1583b630414209e80f50aeb37a64561cd5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C55 7708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.