Malicious PDF — malware analysis report

Static analysis result for SHA-256 b459d65b4cb2dce5…

MALICIOUS

PDF

38.2 KB Authoring application: PDF Studio
MD5: 2892dbe730efb14ad480d14da64c5378 SHA-1: 524dd0570635478da08519c96e5f5fb625409068 SHA-256: b459d65b4cb2dce5bf67ac71f8e72c4214b1608916523348504d31fc42c6413c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical finding for a link farm containing 31 external PDF links. The ML classifier also strongly indicated maliciousness. The embedded URLs suggest a phishing or redirection campaign, aiming to lead users to potentially harmful content hosted on various domains.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://galeriaserpentina.com/uploads/1/3/0/6/130639368/269f57.pdf
    • http://thelearningtreecare.com/uploads/1/3/0/6/130639929/3293289.pdf
    • http://www.labour2030.org/uploads/1/3/0/6/130640047/tirukufenur.pdf
    • http://www.theyouthchallenge.com/uploads/1/3/0/7/130775719/8587727.pdf
    • http://www.gendernaturalist.org/uploads/1/3/0/5/130588880/178307.pdf
    • http://amlrisk.net/uploads/1/3/0/6/130621283/xamep.pdf
    • http://heavenlypoodlesanddodles.com/uploads/1/3/0/5/130588206/0c817b187768ad.pdf
    • http://cascadesoft.net/uploads/1/3/0/7/130774977/remilowido_fokukelut_xigif_zibexudez.pdf
    • http://innovativesportfans.net/uploads/1/3/0/5/130589090/nulixiforow.pdf
    • http://cpanel.strongholdrealtyga.com/uploads/1/3/0/5/130551524/warokifuvogo.pdf
    • http://webdisk.chizelfitnessstudio.com/uploads/1/3/0/2/130270745/4299117.pdf
    • http://12x-hybridmuscle.com/uploads/1/3/0/6/130621409/munagerugobuworuliku.pdf
    • http://thornbrookehomes.com/uploads/1/3/0/3/130313284/wifagu.pdf
    • http://ofcourseimhavingfun.com/uploads/1/3/0/5/130539457/1109169.pdf
    • http://donate.shieldedhearts.org/uploads/1/3/0/7/130775629/542356.pdf
    • http://ashleighvaillancourt-winebrenner.com/uploads/1/3/0/2/130287502/537719.pdf
    • http://bankerator.com/uploads/1/3/0/2/130288554/jusovu_limidopogusej_muwubiwajavopug.pdf
    • http://lloydminstervandals.com/uploads/1/3/0/8/130874668/gewemebodarexabet.pdf
    • http://yulechengtianshangrenjian.br3h.com/uploads/1/3/0/8/130874501/130874501.html#can+chlamydia+test+negative+if+dormant

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003794.bin
dee1519ff6530ee2102d2949a9eaae28684b24af9d9b6b70b6afb63d542bd047		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3794 7972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.