Malicious PDF — malware analysis report

Static analysis result for SHA-256 b624aed4b31824a7…

MALICIOUS

PDF

59.1 KB Authoring application: PDF Studio
MD5: 128a43925bf38debb4decdfe2d373179 SHA-1: 614b41c6b586d58fc550d9bec2b36085502cd6a7 SHA-256: b624aed4b31824a7733f352015932b78deb5417ff444a7483036cab461ac6879
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The primary attack pattern involves redirecting users to a link farm of external PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nasazutebil.weebly.com/uploads/1/3/0/5/130589312/zeweminafi.pdf
    • https://pavubilumof.weebly.com/uploads/1/3/0/4/130488615/zukasirog_nisekugemefulub_lisigejuja.pdf
    • https://ruzitamiku.weebly.com/uploads/1/3/0/5/130588749/webelawowobitafovo.pdf
    • https://levikujakezodu.weebly.com/uploads/1/3/0/4/130476821/xosoba-dapokupoxir-mibazozebute.pdf
    • http://jelog.your-website.name/uploads/2020/01/28/8447562.pdf
    • https://ruruxofuki.weebly.com/uploads/1/3/0/3/130313748/tiromamexoxet-nisuzizigasi.pdf
    • https://marugigubukadef.weebly.com/uploads/1/3/0/5/130551153/ffc30514.pdf
    • https://nasuloxo.weebly.com/uploads/1/3/0/2/130289421/4e0f8f.pdf
    • http://smartbitrix.ru/uploads/2020/01/27/79f17c3.pdf
    • http://darcis-ko.fun/uploads/2020/01/27/magerigekogafinu.pdf
    • http://zivejevolo.tathydro.ru/uploads/2020/01/27/derobasabopagir_nurudaxatip.pdf
    • http://bap.pp-offer.info/uploads/2020/01/28/3ce55e0b.pdf
    • http://laboredo.rec4.icu/uploads/2020/01/28/9391547.pdf
    • http://copyrightcontact-100000659807.com/uploads/2020/01/28/8360014.pdf
    • http://morej.sunparkspb.com/uploads/2020/01/27/tobitobeji.pdf
    • https://nefabasovi.weebly.com/uploads/1/3/0/5/130551597/bezuluge.pdf
    • http://jatujola.topsam.ru/uploads/2020/01/27/5802036.pdf
    • https://morarafaf.weebly.com/uploads/1/3/0/5/130590224/130590224.html#sergei+rachmaninoff+compositions

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00009daf.bin
8a07795e8758f4809bd2605a0657f8110b354a18ba5eeba0e35f13fddac845c0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x9DAF 16976 bytes
font_00_sfnt_off00001175.bin
1efd334be735c6abf889489a045720e83d9076bce4773f52b2f667f964e165ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1175 11688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.