Malicious PDF — malware analysis report

Static analysis result for SHA-256 a1413f2a571962ae…

MALICIOUS

PDF

32.0 KB Authoring application: QPDF
MD5: c518c864a1dfae832c7b2bfb6ae1fcee SHA-1: 7bcd607070e9abdc1a4e65b982da169a1d8c0642 SHA-256: a1413f2a571962ae14ae1c4428746f850191d7be2e2e62f042d934c50824460d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified as a link farm, directing users to potentially malicious content. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output of 0.999942 further support its malicious nature. The embedded URLs are the primary indicators of compromise, likely leading to further stages of infection or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ruroloz.cardesign.su/uploads/2020/01/28/jatadadidu.pdf
    • http://zewo.dateurbate.club/uploads/2020/01/27/9867902.pdf
    • http://watermarkconsultingllc.com/uploads/1/3/0/3/130323196/523a5fceaa2.pdf
    • https://kamowexu.weebly.com/uploads/1/3/0/2/130289530/973259558e3c84.pdf
    • http://realalfa.ru/uploads/2020/01/27/kugupirolub.pdf
    • http://canscare.com/uploads/1/3/0/4/130488964/379775.pdf
    • http://casparmckeever.com/uploads/1/3/0/5/130551445/2210468.pdf
    • http://situbepa.bara-bum.ru/uploads/2020/01/28/borubikaladagamo.pdf
    • http://2ndchancecollectibles.com/uploads/1/3/0/6/130604716/1591069.pdf
    • http://biodanzacuerpoyalma.com/uploads/1/3/0/6/130604497/lavenaduwiwe.pdf
    • http://mole-man.co.uk/uploads/1/3/0/4/130489038/130489038.html#nanostation+loco+m2%2Fm5

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011f3.bin
004e8f1c7852707ee4c3cc1b0dfbd7c5d9d6fbc124d012de34ee3c3a006fb5ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F3 8744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.