Malicious PDF — malware analysis report

Static analysis result for SHA-256 9fcd3727157c33ef…

MALICIOUS

PDF

47.3 KB Created: 2019-04-02 08:31:04 +03:00 Authoring application: TeX (via pdfTeX-0.14f)
MD5: 3e8385ebf8ef0f309c758aca3a2b78d0 SHA-1: beff3f558c6dbce1c11ad1b2078afe64c03a3782 SHA-256: 9fcd3727157c33ef6d9fd522af170f1ef383f2dd14559c186dd098551d7cdb03
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute malicious content. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, and ClamAV detection confirms its malicious nature. While no scripts were extracted, the sheer volume of links and the ML classification suggest a malicious intent to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8263

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7287873-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7287873-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gorillawalker.com/spanish-vocabulary-builder-with-the-michel-thomas-method.pdf
    • http://www.gorillawalker.com/drawing-faeries-a-believer-s-guide.pdf
    • http://www.gorillawalker.com/2012-carolyn-gavin-flowers-magneto-diary-small-english-german-french.pdf
    • http://www.gorillawalker.com/the-2004-prune-book-top-management-challenges-for-presidential-appointees.pdf
    • http://www.gorillawalker.com/managed-care-and-the-evaluation-and-adoption-of-emerging-medical.pdf
    • http://www.gorillawalker.com/computer-guided-applications-for-dental-implants-bone-grafting-and-reconstructive.pdf
    • http://www.gorillawalker.com/the-history-of-higher-education-ashe-reader-series.pdf
    • http://www.gorillawalker.com/gender-and-the-politics-of-history.pdf
    • http://www.gorillawalker.com/the-heresy-of-ecumenism-and-the-patristic-stand-of-the.pdf
    • http://www.gorillawalker.com/conflict-and-intervention-ib-history-print-and-online-pack-oxford.pdf
    • http://www.gorillawalker.com/under-his-spell-my-boyfriend-is-a-monster.pdf
    • http://www.gorillawalker.com/young-abe-lincoln-the-frontier-days-1809-1837.pdf
    • http://www.gorillawalker.com/pop-quartets-for-all-horn-in-f-instrumental-ensembles-for.pdf
    • http://www.gorillawalker.com/150-curiosidades-de-la-biblia-fun-facts-spanish-edition.pdf
    • http://www.gorillawalker.com/the-travels-and-adventures-of-the-turkish-admiral-sidi-ali.pdf
    • http://www.gorillawalker.com/mind-dimensions-books-0-1-2.pdf
    • http://www.gorillawalker.com/a-history-of-kentucky-and-kentuckians-volume-2-the-leaders.pdf
    • http://www.gorillawalker.com/guiding-those-left-behind-in-missouri.pdf
    • http://www.gorillawalker.com/american-heritage-history-of-the-battle-of-gettysburg.pdf
    • http://www.gorillawalker.com/holt-elements-of-language-vocabulary-workshop-fifth-course.pdf
    • http://www.gorillawalker.com/a-mathematical-introduction-to-conformal-field-theory-lecture-notes-in.pdf
    • http://www.gorillawalker.com/i-am-rosa-parks-penguin-young-readers-l4.pdf
    • http://www.gorillawalker.com/yellowstone-s-rebirth-by-fire-rising-from-the-ashes-of.pdf
    • http://www.gorillawalker.com/amg-45-the-story-the-cars.pdf
    • http://www.gorillawalker.com/studyguide-for-corporate-financial-accounting-by-warren-carl-s-isbn.pdf
    • http://www.gorillawalker.com/do-i-look-fat-in-this.pdf
    • http://www.gorillawalker.com/kittens-puppies-2015-mini-7x7-multilingual-edition.pdf
    • http://www.gorillawalker.com/the-tools-of-working-men-a-hernia-belt-sweatsmen-blue.pdf
    • http://www.gorillawalker.com/the-profitable-consultant-starting-growing-and-selling-your-expertise.pdf
    • http://www.gorillawalker.com/more-conquering-aphasia-and-stroke-volume-3-more-guidance-for.pdf
    • http://www.gorillawalker.com/paradox-the-nine-greatest-enigmas-in-physics.pdf
    • http://www.gorillawalker.com/multiverse-exploring-poul-anderson-s-worlds-unabridged-audible-audio-edition.pdf
    • http://www.gorillawalker.com/why-does-my-book-not-sell-20-simple-fixes-indie.pdf
    • http://www.gorillawalker.com/as-the-matzo-ball-turns.pdf
    • http://www.gorillawalker.com/the-great-passion.pdf
    • http://www.gorillawalker.com/everyone-loves-you-when-you-re-dead-journeys-into-fame.pdf
    • http://www.gorillawalker.com/successful-single-parenting-how-to-combine-bringing-up-children-with.pdf
    • http://www.gorillawalker.com/minor-buddhist-text-part-2.pdf
    • http://www.gorillawalker.com/the-light-across-the-river-a-novel.pdf
    • http://www.gorillawalker.com/a-lenten-journey-with-jesus-christ-and-st-john-of.pdf
    • http://www.gorillawalker.com/comp
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_001_off00000dc3.bin
c8efd851ef1e98e426809aec2ecf40582e1a51de72b6af408f07ac2a6fba5d0d		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDC3 16209 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.