Malicious PDF — malware analysis report

Static analysis result for SHA-256 8edd4bba76ce5147…

MALICIOUS

PDF

57.8 KB Authoring application: pstoedit
MD5: 25b382c366f811d061a1fc9af6626853 SHA-1: 9fd782537b038f84d02f5a3a3ba459a2a46f90dc SHA-256: 8edd4bba76ce51471bec7cfbfe8bed256a33d2d733afd6b466665692f3bb4b0a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links to other PDF files, a technique commonly used for SEO poisoning or distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body, though partially corrupted, contains text related to song downloads, which is likely a lure to disguise the malicious nature of the links. The primary attack pattern involves redirecting users to these external PDF links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mountainxllc.com/uploads/1/3/0/6/130621775/2032808.pdf
    • http://mysunfast3200.com/uploads/1/3/0/6/130603819/tedub_jisiro_bebusab_golimasivavex.pdf
    • http://cardsmovinginc.com/uploads/1/3/0/6/130620417/vipikodex.pdf
    • http://sssrugh.com/uploads/1/3/0/4/130475997/wilesinepetirijasaki.pdf
    • http://rose-annerussell.com/uploads/1/3/0/5/130540072/regunusokesadaxega.pdf
    • http://mindfulmerchandise.org/uploads/1/3/0/6/130621003/840df9c24c.pdf
    • http://ohayocleaning.com/uploads/1/3/0/3/130379841/makulolopo-doxekokov.pdf
    • http://rebeccaewebber.com/uploads/1/3/0/4/130476784/fijemejebusenam_majizibu_likizeso.pdf
    • http://sierraunfiltered.com/uploads/1/3/0/6/130621686/8717154.pdf
    • http://alchemyperfume.com/uploads/1/3/0/4/130476878/romavogep_vulaluvatasax_pilum_rigelapupap.pdf
    • http://beautifulpinkk.com/uploads/1/3/0/2/130272862/fareso.pdf
    • http://michaudwellness.com/uploads/1/3/0/5/130546574/130546574.html#sona+chandi+kya+karenge+mp3+song+dow

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012f1.bin
cebbd12885fce63cf32d9398a715d7e3ceec2daeb7beab0f4fa3f3debf90a72b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F1 8160 bytes
font_01_sfnt_off00005dfb.bin
c7143368894299a997ed09f05024df052d964886bc902d598de4a6791c50751f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DFB 10292 bytes
font_02_sfnt_off000073d5.bin
22cd034339abe83ef100088c344c397d43dbcb1a696a587bbc5f11ca204a751f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73D5 16204 bytes
font_03_sfnt_off0000895b.bin
09f5f292c8e095d637fe9c5e1c8d6d3232ab3fd7dcc310957b070209498b208d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x895B 7932 bytes
font_04_sfnt_off00009d83.bin
27fb6daecb7ef6708ac754a0ee4afe6dcd931af0b56215d80062a02ae6100a82		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D83 5080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.