Malicious PDF — malware analysis report

Static analysis result for SHA-256 870cb3ce32d83cbe…

MALICIOUS

PDF

34.7 KB Authoring application: Karbon
MD5: 344b48ba34fb56f7e59aa242ecccba3f SHA-1: aaada47ab3203372768824332e522de5288715d2 SHA-256: 870cb3ce32d83cbe1ef52ef60d49659807a9c273ebbec087bdc2f979668a70b1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF contains a large number of embedded links to other PDF files hosted on various domains. This behavior is indicative of a link farm or a phishing campaign designed to direct users to malicious content. The ClamAV detection and ML classifier strongly support its malicious nature. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://comprehensivefinancialplanningservices.com/uploads/1/3/0/7/130775619/juxefepizuduzap.pdf
    • http://conquerfirstaid.co.uk/uploads/1/3/0/7/130740033/9cfea6bf05ae910.pdf
    • http://tools.blueknightsmcpgh9.com/uploads/1/3/0/9/130969950/vipamajabesofutajasu.pdf
    • http://recipetango.com/uploads/1/3/0/9/130969430/pisavewo.pdf
    • http://www.membershipcompass.com/uploads/1/3/0/3/130379060/najofe.pdf
    • http://connectivityusa.net/uploads/1/3/0/5/130551986/6592841.pdf
    • http://mattwolbertphotography.com/uploads/1/3/0/7/130739371/c15cae.pdf
    • http://thewildflowerfarminn.com/uploads/1/3/0/6/130620778/0c8d5864a8.pdf
    • http://www.lamethodewinningpitch.com/uploads/1/3/0/7/130775284/bepidanod-konik-kelojegetip.pdf
    • http://bucklinbuilders.net/uploads/1/3/0/5/130590215/917840.pdf
    • http://www.spankingmoviereview.com/uploads/1/3/0/7/130740533/nusosofeva.pdf
    • http://arteagadentistry.com/uploads/1/3/0/2/130289431/tozelidinote.pdf
    • http://1upinstruments.com/uploads/1/3/0/5/130551124/vupugakes.pdf
    • http://www.introactivism.com/uploads/1/3/0/7/130739274/kegizigivasuk_zuvemedutok.pdf
    • http://autodiscover.amateurhourfilm.com/uploads/1/3/0/2/130273573/8569e4a.pdf
    • http://yonatan91.octarinesec.com/uploads/1/3/0/3/130313588/3748407.pdf
    • http://terapiaregresiva.org/uploads/1/3/0/7/130739573/9d52eafa62c9b3f.pdf
    • http://healthessentials.shop/uploads/1/3/0/7/130775328/56863f5b8d3.pdf
    • http://alyssaperryinteriors.com/uploads/1/3/0/3/130323705/6265417.pdf
    • http://www.betterartthanin.com/uploads/1/3/0/7/130776715/kidagemajivagab.pdf
    • http://rejuvenationhealthcenter.net/uploads/1/3/0/6/130639703/925f43a7.pdf
    • http://baronyofthelonelytower.org/uploads/1/3/0/7/130775572/1995399.pdf
    • http://zmani.site/uploads/1/3/0/3/130379231/4598616.pdf
    • http://boldnfearless.com/uploads/1/3/0/6/130639281/nujoxax-botuw-lopafekawudiba.pdf
    • http://k0gyr.slpny.com/uploads/1/3/0/2/130292125/130292125.html#anthem+blue+cross+ct+prior+authorization+form

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000025fd.bin
d8521727aa2088fffb15e1ed04a78c29006f1852967ad8b9357209cf423a9b17		 pdf-font-stream PDF embedded font (sfnt) at offset 0x25FD 7076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.