Malicious PDF — malware analysis report

Static analysis result for SHA-256 a8e63c5457f9ea7c…

MALICIOUS

PDF

34.2 KB Authoring application: PDFBox
MD5: c4cad3a1ee92a193af59d272b691cccd SHA-1: 20d0e6e7addbbc2df9f0a1ae75cb84bba9551b8f SHA-256: a8e63c5457f9ea7c6fd88705b281746aef2d353d89c8ef143713e34edd6874a6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files hosted on various domains. This technique is commonly used for SEO poisoning or to redirect users to phishing sites or malware downloaders. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or traffic redirection intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://customsmokingjacket.com/uploads/1/3/0/4/130435536/e268ab40bb2192.pdf
    • http://bostonchaptermerch.com/uploads/1/3/0/5/130543093/4c7511099.pdf
    • http://montgomerycountyhumanesocietync.com/uploads/1/3/0/5/130541661/44fdb42a34.pdf
    • http://www.izzybelleboutique.shop/uploads/1/3/0/5/130539092/fumoloji_gobowezamudeb_kanixuxam.pdf
    • http://nuvueindustrialsolutions.com/uploads/1/3/0/5/130540453/nebowodexa-zerupusuwuxa-torofutuzerofi.pdf
    • http://exolot-riba5.site/uploads/1/3/0/6/130620708/8903502.pdf
    • http://silvercloudvape.co.uk/uploads/1/3/0/4/130476844/dazazolufonaw-zejadetob-nomunapok.pdf
    • http://europimec.org/uploads/1/3/0/4/130476075/luretoni.pdf
    • http://geomatch.net/uploads/1/3/0/7/130740477/db47a85b.pdf
    • http://beacloudaccounting.guru/uploads/1/3/0/6/130604550/nuteruda.pdf
    • http://ranchotecate.net/uploads/1/3/0/3/130313504/wewesiguxaj-lavunedo-numitubinilimo-gatax.pdf
    • http://agentemily.com/uploads/1/3/0/2/130287735/dakuzijobu.pdf
    • http://penninsulatech.com/uploads/1/3/0/6/130621915/2915402.pdf
    • http://tracedebug.com/uploads/1/3/0/6/130620936/4545129.pdf
    • http://ilovefatjacks.club/uploads/1/3/0/6/130603995/9801249.pdf
    • http://nebraskasolarschools.net/uploads/1/3/0/5/130539114/kunezarit.pdf
    • http://325986690869568534.com/uploads/1/3/0/2/130291689/4098705.pdf
    • http://x55fb.salon225.com/uploads/1/3/0/7/130738971/130738971.html#pink+floyd+another+brick+in+the+wall+solo+chords

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001e52.bin
eeb2424ed73f8e4faab33f2de16190943c817636cc52a87ae5a7a3cc2afd118c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E52 7644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.