Malicious PDF — malware analysis report

Static analysis result for SHA-256 aef18a640e1fb5d3…

MALICIOUS

PDF

41.3 KB Authoring application: Nitro PDF First seen: 2021-06-04
MD5: 796c63d9f62feb36326f25854212120c SHA-1: 0e00eb506a4200500ee789841090085642973341 SHA-256: aef18a640e1fb5d38c07bf6e0897a4ee2eea4904dd46bb1a4dde46e7f47099df
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. This suggests a phishing or redirection attempt, aiming to drive traffic to potentially malicious sites. The ClamAV detection and ML classifier further support its malicious nature, classifying it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. No scripts were extracted, and the document body content is heavily corrupted, making it difficult to ascertain a specific lure beyond the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://wetagobin.weebly.com/uploads/1/3/0/3/130323161/4322218.pdf In PDF document text
    • https://pasorodaxek.weebly.com/uploads/1/3/0/5/130545742/9970643.pdfIn PDF document text
    • https://sixawisoseda.weebly.com/uploads/1/3/0/2/130270955/1c4f326a.pdfIn PDF document text
    • https://xanajisanevivol.weebly.com/uploads/1/3/0/2/130274345/funovagajiz.pdfIn PDF document text
    • https://dufozuzarinov.weebly.com/uploads/1/3/0/3/130323374/5403561.pdfIn PDF document text
    • https://fakawexiz.weebly.com/uploads/1/3/0/4/130483469/d79ae4.pdfIn PDF document text
    • https://davukefofuj.weebly.com/uploads/1/3/0/4/130436152/6378258.pdfIn PDF document text
    • https://xogafozusiweda.weebly.com/uploads/1/3/0/3/130323178/lunazijafavot.pdfIn PDF document text
    • https://pamedakulikes.weebly.com/uploads/1/3/0/4/130483114/2101158.pdfIn PDF document text
    • https://lukokasabo.weebly.com/uploads/1/3/0/2/130272511/6dc713c5.pdfIn PDF document text
    • https://texatanikuxe.weebly.com/uploads/1/3/0/4/130483207/09a00f18613a8.pdfIn PDF document text
    • https://tifuwokuvir.weebly.com/uploads/1/3/0/3/130379504/lixadugesavozuxusagi.pdfIn PDF document text
    • https://nididipalotex.weebly.com/uploads/1/3/0/3/130323335/baxujovumir.pdfIn PDF document text
    • https://sugikojoti.weebly.com/uploads/1/3/0/2/130289458/witegafabudosat.pdfIn PDF document text
    • https://badituvot.weebly.com/uploads/1/3/0/2/130289618/46264.pdfIn PDF document text
    • https://wotufawekow.weebly.com/uploads/1/3/0/3/130313343/girinutusa.pdfIn PDF document text
    • https://mowifiwa.weebly.com/uploads/1/3/0/4/130436085/083694.pdfIn PDF document text
    • https://judifasa.weebly.com/uploads/1/3/0/3/130313127/6826477.pdfIn PDF document text
    • https://jotodetad.weebly.com/uploads/1/3/0/2/130287493/3707838.pdfIn PDF document text
    • https://zikabagerimet.weebly.com/uploads/1/3/0/4/130483158/rosivixupotodo.pdfIn PDF document text
    • https://levikujakezodu.weebly.com/uploads/1/3/0/4/130476821/3429444.pdfIn PDF document text
    • https://simanusewomok.weebly.com/uploads/1/3/0/2/130289636/d39f7bf.pdfIn PDF document text
    • https://gitisupo.weebly.com/uploads/1/3/0/4/130488506/3650030.pdfIn PDF document text
    • https://duferegateboja.weebly.com/uploads/1/3/0/4/130489776/9e43111daaf3d.pdfIn PDF document text
    • https://litesaxuv.weebly.com/uploads/1/3/0/5/130544751/pizij-vulobasug-funapupo-livefoxux.pdfIn PDF document text
    • https://basasuzewifofa.weebly.com/uploads/1/3/0/2/130270897/130270897.html#notary+form+template+californiaIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000168e.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x168E 8124 bytes
SHA-256: d2e5e378ac5205c5d2df550d8b7a7679cdc23c4841e4b891eca32078496e38e8

Open this report in the interactive analyzer, or submit your own file for analysis.