Malicious PDF — malware analysis report

Static analysis result for SHA-256 a28e0d3191bf0f87…

MALICIOUS

PDF

44.9 KB Authoring application: Pdftk
MD5: f25ab819a74729b98854b15558422e2a SHA-1: 7162a7cc12bcac47095fa3d573f498c73f275856 SHA-256: a28e0d3191bf0f879712528a6f0d88a9d3b1228e118126c657c6f2a5eb90df29
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, a technique often used for SEO spam or to direct users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs are the primary indicators of compromise, likely leading to further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://234360060668842261.com/uploads/1/3/0/3/130313072/9750136.pdf
    • http://cbenedict.com/uploads/1/3/0/4/130436017/sonogaperekir-winaxo.pdf
    • http://moederfamily.com/uploads/1/3/0/2/130271099/3d1dba3.pdf
    • http://programsformindfulliving.com/uploads/1/3/0/3/130323555/wofufeke-vibozito-tuveded.pdf
    • http://sophieleblancvisualmedia.com/uploads/1/3/0/5/130542692/bd88a.pdf
    • http://nuggwholesale.com/uploads/1/3/0/4/130436367/fimaforeperi_retibuno_zajipip_lazudaxuvuvumem.pdf
    • http://nursisociety.org/uploads/1/3/0/5/130551059/8615432.pdf
    • http://mido4design.com/uploads/1/3/0/6/130639827/3627265.pdf
    • http://musicbeta.weebly.com/uploads/1/3/0/5/130588678/gujim.pdf
    • http://djspizza1.com/uploads/1/3/0/5/130550867/130550867.html#tutorial+blender+2.80+espa%C3%B1ol

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000125a.bin
22ebc4ac8b63aa26b5cd4bc518e63296426e2277267d52a6a1f05048917c97c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125A 9188 bytes
font_01_sfnt_off00005f6e.bin
50224c6c483bfa86a10f62efd7baa2c756f8036c0a911ebd537387e21b2fb6f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F6E 2732 bytes
font_02_sfnt_off0000687c.bin
5f95318943fcfbd77322bbb5cad315370152876080c91ba93f69ac7a8b13a41a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x687C 16208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.