Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c4667fab0559462…

MALICIOUS

PDF

57.9 KB Authoring application: QPDF First seen: 2021-05-23
MD5: 764eb519e858e9250f7a9b2e10e3c2fa SHA-1: 4085ed8e0160c1d7db4c668852f2a357e95caba0 SHA-256: 8c4667fab0559462c1c65c8aeac7a8cd726cf7b63afe3b2d15b6ab3b82c3e52e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF was flagged by multiple heuristics, including a critical alert for a link farm containing 28 external PDF links, and a high-confidence ML classification. The embedded URLs, such as http://estadosdepagos.com/uploads/1/3/0/7/130776898/4776258.pdf, strongly suggest a phishing or malware distribution attempt by redirecting users to potentially malicious content. No scripts were extracted, but the sheer volume of linked PDFs indicates a coordinated effort to lure victims.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://estadosdepagos.com/uploads/1/3/0/7/130776898/4776258.pdf In PDF document text
    • http://washingtonchoice.org/uploads/1/3/0/3/130323930/kadivetuxosiv.pdfIn PDF document text
    • http://poeonline.net/uploads/1/3/0/5/130588266/4662126.pdfIn PDF document text
    • http://letmejustwrite.com/uploads/1/3/0/6/130640150/zuxelikisenu.pdfIn PDF document text
    • http://canniny.com/uploads/1/3/0/4/130435746/sigoveguj-tobexawuz-jonewofofunusi.pdfIn PDF document text
    • http://thefilterswap.com/uploads/1/3/0/8/130874009/tuluresazakozop.pdfIn PDF document text
    • http://ardmoreccc.org/uploads/1/3/0/6/130620958/makimugemel-dutitixirijas-muxezukaroja.pdfIn PDF document text
    • http://shrinedads.com/uploads/1/3/0/3/130379354/2684764.pdfIn PDF document text
    • http://kenkeefe.com/uploads/1/3/0/5/130543133/logeruniwefetekifomi.pdfIn PDF document text
    • http://rentsfnow.net/uploads/1/3/0/2/130288644/polaga.pdfIn PDF document text
    • http://jalksjdlfkjslkjf01.space/uploads/1/3/0/7/130775392/nifomozupewiso_fapodukiri_gopibujim.pdfIn PDF document text
    • http://riotthink.com/uploads/1/3/0/5/130588518/fevinelus.pdfIn PDF document text
    • http://jerseyreach.net/uploads/1/3/0/4/130476076/0513c624a.pdfIn PDF document text
    • http://cladnh.com/uploads/1/3/0/3/130313108/lokifatodabuwefib.pdfIn PDF document text
    • http://httpwww.muzzlemagazine.com/uploads/1/3/0/6/130639110/130639110.html#abdomen+anatomy+ct+scanIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001560.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1560 8688 bytes
SHA-256: aa80f1ba47fc7dbc4cb0158fd14dab8e1f82f63c4ba1f7d87f80c05020880422