Malicious PDF — malware analysis report

Static analysis result for SHA-256 929417502186e952…

MALICIOUS

PDF

41.6 KB Authoring application: SWFTools
MD5: db53c2128ef04beba32c9c6add8b7ca0 SHA-1: f97c5a77af3e5b63a5892470cdb23dd86d76e661 SHA-256: 929417502186e9524388b9434dc946938e98c5c276d41cdf8e7992e5a85093fe
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This technique is commonly used for SEO poisoning or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output further support the malicious nature of this file. The document body contains garbled text and error messages, suggesting it is not intended for direct user interaction but rather as a container for the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://myhairbywendy.com/uploads/1/3/0/4/130435743/jakitukib.pdf
    • http://pafin.trustevroservis.ru/uploads/2020/01/29/basopagewawol_sepidawipug_vegexi_zeninu.pdf
    • http://willaimadowneyod.net/uploads/1/3/0/4/130483187/bagifuwevaxate-vawavi-zavevojogi-tefemaxowisaki.pdf
    • http://mymoneyways.com/uploads/1/3/0/4/130479210/bfbb5bbc26.pdf
    • http://bamboohealthsocks.com/uploads/1/3/0/6/130605355/3658066.pdf
    • http://northsouthappal.com/uploads/1/3/0/6/130603860/9df38ea37.pdf
    • http://skinnydogconsulting.com/uploads/1/3/0/2/130274076/5af649.pdf
    • http://parkandvinyl.com/uploads/1/3/0/3/130323789/428b8602e92.pdf
    • http://tularecountyedc.com/uploads/1/3/0/4/130488779/5743787.pdf
    • http://update-accounts.net/uploads/2020/01/27/9804935.pdf
    • http://swayecapitale.com/uploads/1/3/0/5/130551434/xalozamiforekow.pdf
    • http://nififevi.rybalkavideo.info/uploads/2020/01/29/3e0446.pdf
    • http://echoww2.com/uploads/2020/01/28/7507781.pdf
    • http://santorius.ru/uploads/2020/01/28/a4c18d6f0603e.pdf
    • http://ntechnologyinc.com/uploads/1/3/0/5/130551625/249391a1.pdf
    • http://miragabella.com/uploads/1/3/0/3/130323174/xikojinegajivu-rarewemugumagu-kelejal.pdf
    • http://nicholasruscettaart.com/uploads/1/3/0/6/130621789/7715933.pdf
    • http://randomdecisions.com/uploads/1/3/0/2/130270811/4980375.pdf
    • http://naturalbugblock.com/uploads/1/3/0/5/130588599/5276291.pdf
    • http://carasoul.com/uploads/1/3/0/2/130272504/e805e402.pdf
    • http://mmadalirandletest.weebly.com/uploads/1/3/0/6/130605017/nepab_kuwefiluwe.pdf
    • http://mindforyou.org/uploads/1/3/0/4/130435851/130435851.html#activesheet.+pictures.+paste+error+1004

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001678.bin
760d5726e607296ae1ffe8d7318873dfac376b106de62510a180aba611652727		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1678 8540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.