Malicious PDF — malware analysis report

Static analysis result for SHA-256 a43d4a68c3b446bd…

MALICIOUS

PDF

35.9 KB Authoring application: Solid Converter PDF
MD5: ec662a9e76148a580b0b2e25b5c85b1a SHA-1: 5fac2d99eb4082b5d9e39b8d1fa119eea8a7e202 SHA-256: a43d4a68c3b446bd9c278f4572f5be7675d800aa56f52e2969a73ce82e90d600
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to redirect users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body, though heavily truncated, mentions 'Upsssc chakbandi adhikari previous year question paper', suggesting a lure for exam-related information, which is then used to mask the malicious link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://antumbraeducationpartners.com/uploads/1/3/0/3/130379864/cbcd816c.pdf
    • http://micahmakespots.com/uploads/1/3/0/5/130550741/55b1f.pdf
    • http://pixelswipe.com/uploads/1/3/0/5/130545745/76e23.pdf
    • http://camplakeoutfitters.com/uploads/1/3/0/3/130379381/xozejijugofivirewi.pdf
    • http://www.thisissmartoysters.com/uploads/1/3/0/6/130604694/2819303.pdf
    • http://greenworldchina.org/uploads/1/3/0/2/130288465/zemubusokeb_juxunazomodoxot.pdf
    • http://globalkiwitours.com/uploads/1/3/0/5/130588546/57325b3ff9d5f.pdf
    • http://www.tanyahammondinsurancebroker.ca/uploads/1/3/0/3/130323633/vimetevovigut.pdf
    • http://radiantrebelcollective.com/uploads/1/3/0/7/130776067/5531388.pdf
    • http://accountingformarijuana.com/uploads/1/3/0/3/130380084/nunezuxudo_digilorinewaka.pdf
    • http://tsutsulin.net/uploads/1/3/0/3/130379101/muriwe.pdf
    • http://webdisk.shieldedhearts.org/uploads/1/3/0/6/130604666/xunotamunelujunik.pdf
    • http://sonomacountycustomwood.com/uploads/1/3/0/8/130874257/4978309dd0f.pdf
    • http://swctv.org/uploads/1/3/0/8/130814308/vulupituvekogomufef.pdf
    • http://taldato.com/uploads/1/3/0/7/130739763/3b58c8d9.pdf
    • http://shop.accordionapocalypse.com/uploads/1/3/0/5/130589252/130589252.html#upsssc+chakbandi+adhikari+previous+year+question+paper
    • http://radiantrebelcollective.com/uploads/1/3/0/7/1307760

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000031d8.bin
9a9394dab89d0caffcfb17a387678699b12a71f5fc5f30f2294488810b57d45b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31D8 7692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.