Malicious PDF — malware analysis report

Static analysis result for SHA-256 a09848103d59f2a9…

MALICIOUS

PDF

36.7 KB Authoring application: PDFBox First seen: 2020-09-24
MD5: 0a3436a05f4516a028214eb674ecbd04 SHA-1: 2f4555e186f6d7d27b9646fca5732015b6dbd35f SHA-256: a09848103d59f2a96a54db35ad559e3b7bc809562190376bbdf57f67e5191e59
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by multiple heuristics, including a critical finding for a 'PDF_SEO_LINK_FARM' which indicates a large number of external links. The primary malicious URL identified is http://www.sodrooffungi.crikarsmarshall.com/uploads/1/3/0/6/130620982/jijuji_rudifef_nedoxujogof_fosib.pdf. While the document body contains text related to Addison's disease, the overwhelming evidence points to a link-farming or redirection scheme rather than legitimate content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.sodrooffungi.crikarsmarshall.com/uploads/1/3/0/6/130620982/jijuji_rudifef_nedoxujogof_fosib.pdf
    • http://tonycon.com/uploads/1/3/0/3/130313427/2659336.pdf
    • http://motherhenmusic.org/uploads/1/3/0/3/130323164/sifibef.pdf
    • http://seacorpservices.net/uploads/1/3/0/4/130483067/gudilazifefose-fosusefazagap.pdf
    • http://beanbagswim.com/uploads/1/3/0/8/130813846/bibufise.pdf
    • http://normandyoptical.biz/uploads/1/3/0/3/130323216/a8f7953.pdf
    • http://thedreamslab.agency/uploads/1/3/0/7/130740371/4c64ffb7b0e4b4.pdf
    • http://www.cbdisolateuses.com/uploads/1/3/0/6/130603853/pegotorutiniroleb.pdf
    • http://warrenbsmith.org/uploads/1/3/0/6/130639091/xizik-legonaz.pdf
    • http://motherlodemontessori.org/uploads/1/3/0/5/130550704/mexom.pdf
    • http://nwrealtybrokers.com/uploads/1/3/0/6/130620804/1833294.pdf
    • http://sciencechicks.com/uploads/1/3/0/9/130969499/130969499.html#addison%27s+disease+diet+pdf
    • http://normandyoptical.biz/uplo
    • https://medlineplus.gov/addisondisease.html

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000039c4.bin
d99068d81114d07cd56b3fa358de25b1fcff642af810a21dc818d7ab3dc240d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39C4 7548 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.