Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5e1ec8c81d819b4…

MALICIOUS

PDF

72.5 KB Authoring application: Poppler-utils
MD5: b2828a51ce4c882199dbbc83d63690f5 SHA-1: 4565451c489b0edaed1b618d9748be7b0fcc1902 SHA-256: a5e1ec8c81d819b48c2f92620ea456109387d2e096143854ba7d2a6e6bca9b27
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links to other PDF files hosted on various domains. This behavior is indicative of a link farm or a phishing campaign designed to direct users to potentially malicious content. The ClamAV detection and ML classifier further support the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9963

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://common-sense-government.org/uploads/1/3/0/6/130604006/fazopogidamu.pdf
    • http://downriverkaraokeanddj.com/uploads/1/3/0/6/130621066/1d5556ebfde.pdf
    • http://termlimitspompano.com/uploads/1/3/0/4/130435658/3229106.pdf
    • http://memoriesinsoap.com/uploads/1/3/0/7/130740524/bagodojevijero.pdf
    • http://ptscaffolding.com/uploads/1/3/0/6/130640025/venuwumijozoxigexaro.pdf
    • http://jer-zu.com/uploads/1/3/0/6/130603769/7ebb4.pdf
    • http://rocksolidbaseballcamp.com/uploads/1/3/0/6/130620746/woxekevapizof_koguvezaw_lerura_likupikefa.pdf
    • http://cadencechiassonlmft.com/uploads/1/3/0/8/130814387/92fe922e178fa.pdf
    • http://splitfingerstudio.com/uploads/1/3/0/8/130815437/4172957.pdf
    • http://pvifftickets.com/uploads/1/3/0/6/130620835/344e60d90.pdf
    • http://littlebigpad.com/uploads/1/3/0/7/130738525/9402721.pdf
    • http://victoriajsmith.com/uploads/1/3/0/2/130289681/mibufoga.pdf
    • http://norshus.com/uploads/1/3/0/7/130775675/padub_pulepuku_melelelu_gupetizo.pdf
    • http://mrbojandals.com/uploads/1/3/0/7/130775404/2762834.pdf
    • http://howardsmithphotography.com/uploads/1/3/0/8/130813111/baletowoderubini.pdf
    • http://unrpad.org/uploads/1/3/0/2/130274305/kokulovud_sakazulijapi.pdf
    • http://brownbox1.com/uploads/1/3/0/9/130969297/bafetudum.pdf
    • http://brianghilliotti.com/uploads/1/3/0/4/130436202/5775641.pdf
    • http://bellathevagablond.com/uploads/1/3/0/5/130588962/9772469.pdf
    • http://trumptreasure.com/uploads/1/3/0/6/130621684/najodefu_povemovamar.pdf
    • http://mail.fingerprintart.me.uk/uploads/1/3/0/6/130604498/806448a8.pdf
    • http://castletraining.org/uploads/1/3/0/6/130605182/7139878.pdf
    • http://hnstravels.voyagerwebsites.com/uploads/1/3/0/9/130969291/130969291.html#como+reducir+el+tama%C3%B1o+de+un+pdf+nitro

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000039a1.bin
d3711f112def277c3a92632b657c868ee52629d5bc1550af367cba23b2ce2505		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39A1 8896 bytes
font_01_sfnt_off000050d9.bin
7ae50203b5c9704fa89b7781d388a6f8d6bdd3cde6659b0ab737c983617e61e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50D9 11024 bytes
font_02_sfnt_off000069d9.bin
0ec690569684ab17203c76c44c4a1fc83328a8f82a4b54de015a3f198a6a5d9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69D9 10076 bytes
font_03_sfnt_off00008973.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8973 2600 bytes
font_04_sfnt_off000092fd.bin
c6dbf45170bb03a3cd3dc61e3b94d13ec38f977758978f8c14afe77b89ec482c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92FD 19180 bytes
font_05_sfnt_off0000b4db.bin
abc204c32335f90a8cf967a10814927ab313de84e9a573c85b0d0c9f5719a0fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB4DB 11836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.