Malicious PDF — malware analysis report

Static analysis result for SHA-256 833d1e5eda149a21…

MALICIOUS

PDF

56.2 KB Authoring application: Mobipocket Creator
MD5: 51773d6de866aee66d7b4f5da8484684 SHA-1: 94878358208557f57e8c3542879e90e9d2afed9d SHA-256: 833d1e5eda149a2127dd0d36c6697de9d562b8b5996959750f352406ca97558f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF was flagged by multiple heuristics, including a critical finding for a link farm containing 31 external PDF links. The ML classifier also strongly indicated maliciousness. The embedded URLs suggest a phishing or content-hosting campaign, likely aimed at SEO manipulation or distributing further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wokinakar.frmclinicsrussia.ru/uploads/2020/01/28/2608752.pdf
    • http://guxek.leoescamilla.com/uploads/2020/01/29/janepabidi.pdf
    • http://may-som.com/uploads/1/3/0/5/130589281/b742d6cd96.pdf
    • http://harvestrunningfestival.com/uploads/1/3/0/6/130621714/3bccc.pdf
    • http://designityourselfweddingrentals.net/uploads/1/3/0/3/130313458/fapofolefiruwob.pdf
    • http://var.cheriben-site.com/uploads/2020/01/27/gavuj_zalesodefovi_kunivodenorida_pifakiw.pdf
    • https://viridonowokuxak.weebly.com/uploads/1/3/0/5/130550721/3619196.pdf
    • http://zerotoxaro.shoop-goo.info/uploads/2020/01/27/vatovebetekas.pdf
    • http://puwizefe.lifefocus.online/uploads/2020/01/28/36e55cdbfd.pdf
    • http://connecttbs.com/uploads/1/3/0/2/130287895/d0f34.pdf
    • http://rachaelmaephotography.com/uploads/1/3/0/6/130604554/4428023.pdf
    • http://witoxutek.digitalcodesnet.com/uploads/2020/01/28/9019493.pdf
    • http://poppies-daycare.co.uk/uploads/1/3/0/5/130543816/ce5c0ee6d.pdf
    • http://kinderdagverblijfzandopdemat.nl/uploads/1/3/0/5/130551949/74afc.pdf
    • http://defokud.spikedtearadio.com/uploads/2020/01/29/4051226.pdf
    • http://youuoyrecords.org/uploads/1/3/0/6/130639990/524ad4149069a.pdf
    • http://hello-baby-toys.com/uploads/1/3/0/6/130639226/130639226.html#aila+re+aila+song++malaal
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014d5.bin
96efff04d8e5c24b834d06ce96e73189a94331c86e52c7cb0b7542a2675e92f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D5 8304 bytes
font_01_sfnt_off000081e8.bin
3c309aa7d805e5339a9ae25196548cded5913002e06141df1efa37dbbc41c6da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81E8 18296 bytes
font_02_sfnt_off00009d35.bin
88cbb9ff8536672ad43ceac4345c913ffe3df9f9517aaaaf62857ba92a4db1e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D35 3208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.