Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e3de21baa981f60…

MALICIOUS

PDF

39.9 KB Authoring application: Mobipocket Creator
MD5: 35c01dc3dc6fba3f523843524275a5bb SHA-1: 4bbb357b52984cb8623a21dd496ea8af620d73e0 SHA-256: 8e3de21baa981f603be1ac7a46108e54ae74c485404cae6e9681b52349bd8ed9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF file contains a large number of embedded links to external PDF files, suggesting a link farm or redirection mechanism. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. The document body, while containing seemingly innocuous text about gastric sleeve surgery, is likely a lure to disguise the malicious nature of the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sammiegeislerdpt.com/uploads/1/3/0/5/130543158/mobenirejuxejupigos.pdf
    • http://fkox.com/uploads/1/3/0/5/130590550/9677269.pdf
    • http://rajaampatdivers.com/uploads/1/3/0/6/130639821/558a0c9fa5.pdf
    • http://facepainternashville.com/uploads/1/3/0/5/130538831/e0782da61ddf34.pdf
    • http://petermendelsonphotography.com/uploads/1/3/0/4/130483842/d7ab4b.pdf
    • http://suite420marketing.com/uploads/1/3/0/4/130475980/7023761.pdf
    • http://www.greetings-salutations.com/uploads/1/3/0/3/130313274/zajuvirapof.pdf
    • http://anniescandy.com/uploads/1/3/0/4/130488851/c5df3f5166.pdf
    • http://murrayparkcondos.com/uploads/1/3/0/7/130738537/fopijulanejav-guzuzogafemoxis.pdf
    • http://answersoperation.com/uploads/1/3/0/6/130639590/fafiluzorulawiwod.pdf
    • http://iteroimplantdentallab.com/uploads/1/3/0/4/130494289/gozifemufatokuf-bigom-simidi-sudutupurelu.pdf
    • http://alvarezorganicfarm.com/uploads/1/3/0/7/130740391/xunusimo.pdf
    • http://redseaview.de/uploads/1/3/0/2/130288532/pudup.pdf
    • http://impacnow.net/uploads/1/3/0/2/130272932/nexugivemonet.pdf
    • http://pescafishing.ca/uploads/1/3/0/8/130813855/vefuzus.pdf
    • http://eatonhousewhiskey.com/uploads/1/3/0/6/130639052/5117716.pdf
    • http://dev2018.digcitinstitute.com/uploads/1/3/0/7/130776678/130776678.html#how+do+you+eat+after+gastric+sleeve+surgery
    • http://iteroimplantdentallab.com

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004074.bin
79be46ded8dd7142ed51ffc73977f53fd5977f2477c0835914ed5264c5876471		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4074 7884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.