Malicious PDF — malware analysis report

Static analysis result for SHA-256 82dc66dd86cdc771…

MALICIOUS

PDF

44.0 KB Authoring application: Mobipocket Creator
MD5: ddb12aae2ddc5bf10ea8c1ddf526b2a5 SHA-1: 46eba8923739f43a175b39b12f694ed27555df55 SHA-256: 82dc66dd86cdc771a568964be57755372be778a7296c33e61064ab180c710f0e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, forming a link farm, which is a common technique for distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dineshdecoded.com/uploads/1/3/0/5/130588651/89146.pdf
    • http://lapbandlosangeles.net/uploads/1/3/0/4/130476511/gejaj.pdf
    • http://rnfincaraiz.com/uploads/1/3/0/4/130490561/potexo_kixakajoke.pdf
    • http://dogwoobies.com/uploads/1/3/0/6/130639336/fovefomanekos.pdf
    • http://unsubscribetoviolence.com/uploads/1/3/0/7/130740441/pubojexifudon-zafagebikono-wadoz.pdf
    • http://mermaidtidying.com/uploads/1/3/0/6/130639019/dagadesogeme.pdf
    • http://northstarmobilehomepark.com/uploads/1/3/0/5/130547689/laxesemut.pdf
    • http://www.thesuccessjourney.org/uploads/1/3/0/2/130288453/cedcab9d8d00de4.pdf
    • http://whaleheadoceanfront.com/uploads/1/3/0/6/130620731/lozuxado.pdf
    • http://yincaravana.com/uploads/1/3/0/5/130589460/424030.pdf
    • http://cisna.org/uploads/1/3/0/6/130620565/navubupilabe_fobabanijed_luwawavugujuz_teliz.pdf
    • http://herndonwomansclub.com/uploads/1/3/0/7/130739024/400d8c07de.pdf
    • http://www.laughingbuddharetreats.com/uploads/1/3/0/8/130873894/zovupagek-satevowa-xokemutu-pimufezinu.pdf
    • http://drhassall.com/uploads/1/3/0/8/130873740/b8b597b70.pdf
    • http://annearundelhandcenter.com/uploads/1/3/0/6/130620267/8240322.pdf
    • http://srdasaulas.com/uploads/1/3/0/7/130739806/29bc6d1.pdf
    • http://www.shesjustamom.com/uploads/1/3/0/6/130639034/db3b1d814.pdf
    • http://isswave.org/uploads/1/3/0/4/130483632/9028876.pdf
    • http://witchesforest.com/uploads/1/3/0/2/130270790/8782031.pdf
    • http://mail.suzette-brown.com/uploads/1/3/0/6/130604805/9370455.pdf
    • http://aladybugsbaskets.com/uploads/1/3/0/6/130621800/230805c0031.pdf
    • http://www.hotheadsrock.com/uploads/1/3/0/5/130588240/wuvanokotozadibez.pdf
    • http://ropgenius.com/uploads/1/3/0/9/130969862/nuletapemaxadu.pdf
    • http://nmis.co/uploads/1/3/0/2/130271132/refibewovaxomi-xarakadisefu-wetipa.pdf
    • http://spanishartdecor.com/uploads/1/3/0/4/130476912/fowuxejoveb-nimoxodufefewaj.pdf
    • http://blackfilmcentre.org/uploads/1/3/0/5/130588279/130588279.html#addie+model+instructional+design+process

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000480a.bin
5432949087787e2837470cf168d512c4a92a81d56fe5ecfd3a8979a6bcbab770		 pdf-font-stream PDF embedded font (sfnt) at offset 0x480A 7804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.