Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa15bdacd416e01d…

MALICIOUS

PDF

36.0 KB Authoring application: GIMP
MD5: bf5273ebdb1c439a038af55bb99c42a9 SHA-1: 9c3d8aa886de0bd80d0146b7e71980905c3f7ab8 SHA-256: aa15bdacd416e01d1106f18306029be44dcef750bc5406753c7a7914057c0b79
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, with the primary malicious URL being http://topewobe.satellit55.ru/uploads/2020/01/29/kuzoduseni-xifumo-xoripedop-zumek.pdf. The document body, despite being partially corrupted, suggests a lure related to accepting a job offer via email. ClamAV also detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', reinforcing the phishing and malicious redirection intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://topewobe.satellit55.ru/uploads/2020/01/29/kuzoduseni-xifumo-xoripedop-zumek.pdf
    • https://rajejaxusumesi.weebly.com/uploads/1/3/0/5/130588894/bc4c36851a16.pdf
    • https://pusutubejav.weebly.com/uploads/1/3/0/5/130539702/c9f2e6c64b07a.pdf
    • http://thejoyofsyntax.com/uploads/1/3/0/6/130640025/8b9e63ad1f36810.pdf
    • http://teacupsanddresses.com/uploads/1/3/0/4/130476248/vomepaxavuwif-tuwamapudas-davefawiresalum.pdf
    • http://gesokenulu.s-us.ru/uploads/2020/01/29/7505969.pdf
    • http://cours-de-batterie-fouesnant.com/uploads/1/3/0/2/130271048/4080089.pdf
    • http://xodotori.gdxsdxrexgtesgxdsese.xyz/uploads/2020/01/29/7852122.pdf
    • http://cooleysleep.com/uploads/1/3/0/4/130489331/719249.pdf
    • http://kpcdesign.org/uploads/1/3/0/6/130604056/8267e5682c.pdf
    • http://artofmoses.com/uploads/1/3/0/4/130476791/130476791.html#how+to+accept+job+offer+letter+via+email

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ce.bin
bb1e077ca83e89f6cf2e84cba5efe8b838d2c361c8dbb60af6d3916093012b8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12CE 7884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.