Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a38260ebf5809f2…

MALICIOUS

PDF

36.1 KB Authoring application: SWFTools
MD5: bbad6e5eb17088d6099d086cbfc211dc SHA-1: 9c686b4dad73cf40953226f89bed67af5a5d01f6 SHA-256: 9a38260ebf5809f209ed0e5a79dad10b3c2446eb6a83db06f41c9ce0f6a0d8e0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly indicate maliciousness. The embedded URLs, such as http://server65147.misscarols.com/uploads/1/3/0/6/130639613/volufup_fepenog_pulugef_saxetoti.pdf, suggest a link farm or redirection scheme, likely intended to distribute further malware or conduct phishing. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://server65147.misscarols.com/uploads/1/3/0/6/130639613/volufup_fepenog_pulugef_saxetoti.pdf
    • http://kobrathelabel.com/uploads/1/3/0/7/130739883/9653840.pdf
    • http://cgreyconstruction.com/uploads/1/3/0/6/130622051/f043fdc62d.pdf
    • http://youarenotaloneart.com/uploads/1/3/0/8/130873841/6859455.pdf
    • http://www.plaquehd.com.au/uploads/1/3/0/3/130323328/dumadip_ketej_talelanubux_fofimivaxeriji.pdf
    • http://nomadcc.com/uploads/1/3/0/7/130739275/tuwit-tirotifag-poxunojozif.pdf
    • http://miriamsterzelblog.com/uploads/1/3/0/7/130740537/nomasekilaxus.pdf
    • http://brandingfaithdesigns.com/uploads/1/3/0/6/130640010/lawavidefu-memuwapa-duwizuninaj-jamaxewipari.pdf
    • http://jaguartracks.com/uploads/1/3/0/4/130476503/jodafiwuluke.pdf
    • http://retrobathandbody.net/uploads/1/3/0/4/130476045/240640aa9803d74.pdf
    • http://christchurchwater.info/uploads/1/3/0/5/130588861/b34c90b56191736.pdf
    • http://evangelismseminar.org/uploads/1/3/0/6/130605089/gomej-xisajulixu.pdf
    • http://www.sirbonifurnishings.com/uploads/1/3/0/4/130490444/603faa1.pdf
    • http://studiobabybody.com.au/uploads/1/3/0/3/130313595/pewexe.pdf
    • http://objectpages.com/uploads/1/3/0/7/130739037/fijojafex-xirivovetat-lovuwexuj-dosufaze.pdf
    • http://isabelreyna.com/uploads/1/3/0/3/130312986/c25e49f6539ff3.pdf
    • http://griffinsgoodnews.com/uploads/1/3/0/6/130604177/970701.pdf
    • http://www.debsphotograpy.com/uploads/1/3/0/3/130379959/5826136.pdf
    • http://kelviron.com/uploads/1/3/0/6/130621280/0ec04.pdf
    • http://outdoordadding.com/uploads/1/3/0/4/130476650/funuz_sodiva.pdf
    • http://www.pyplservice.com/uploads/1/3/0/7/130739780/bexonolopuxefajoxa.pdf
    • http://rickandjudy.net/uploads/1/3/0/6/130621287/puxumaxirigumenipun.pdf
    • http://biyingkeshishicaizhucema.br3h.com/uploads/1/3/0/6/130639342/130639342.html#achievement+motivation+theory+strengths+and+weaknesses

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e8f.bin
2fc343bd99a8570d5a941112d5e1edfd305e6becddd746356aab7a8b7ce0bcf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E8F 6696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.