Malicious PDF — malware analysis report

Static analysis result for SHA-256 b782e9bad03c5e79…

MALICIOUS

PDF

38.3 KB Authoring application: Soda PDF
MD5: de4f0db8a5299fb7905d86cd8f99174d SHA-1: f708125c1668c5ba82a0ff9c169f731349f67107 SHA-256: b782e9bad03c5e79387a5a51f0252fe33f4f1d3c87ebb8f636be326692facc75
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to external PDF documents, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a link farm or SEO manipulation tactic. The ML classifier and ClamAV detection strongly support a malicious classification. No scripts were extracted, and the document body content is largely unreadable, but the presence of numerous external links points to a distribution or redirection mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://drsimoneryan.com/uploads/1/3/0/5/130539165/7235204.pdf
    • http://omalus.com/uploads/2020/01/28/9078195.pdf
    • http://hawaiirootsandbranches.com/uploads/1/3/0/5/130551006/merolofobopupo.pdf
    • http://natashapartnoy.com/uploads/1/3/0/2/130289288/ranakabadalupad-nigonofuresup-rawoniw.pdf
    • http://myriadpharmacy.com/uploads/1/3/0/5/130588718/2e6f1079b98.pdf
    • http://newsoft-softava.weebly.com/uploads/1/3/0/4/130490155/7835107.pdf
    • http://audiostart05.icu/uploads/2020/01/27/7dde5a364.pdf
    • http://xeziluporu.lanticadimansotti.com/uploads/2020/01/27/1252782.pdf
    • https://kosopagajevorud.weebly.com/uploads/1/3/0/5/130551081/rinasumanazojot.pdf
    • http://tibukaz.kuluarpohod.ru/uploads/2020/01/28/jopalefofunux.pdf
    • http://stephaniepereira.com/uploads/1/3/0/4/130435784/1fae2e.pdf
    • http://mgodfreycreative.com/uploads/1/3/0/5/130588784/e5cfb3385f.pdf
    • http://kaw.west-lab.ru/uploads/2020/01/27/f48b7daa415ba77.pdf
    • http://conversionpix.com/uploads/1/3/0/5/130545537/87bcf51d1f7a.pdf
    • http://journeytomichelin.com/uploads/1/3/0/2/130274154/rojuk-pakarerim-luvusoxumawow-bojid.pdf
    • http://gapoferiz.serviicosbr.com/uploads/2020/01/28/magexavu_nutovatix.pdf
    • http://xoxo.estiny-studio.ru/uploads/2020/01/28/vosikirudefix_fowawiwotuj_xiwerodoporilop.pdf
    • http://rotaract4100.org/uploads/1/3/0/6/130604690/tabavakofigew.pdf
    • http://shadyblueamstaffs.com/uploads/1/3/0/3/130323592/pulutipufuki_lizekotuv_reteku.pdf
    • http://nelsonmassage.com/uploads/1/3/0/3/130323594/7963740.pdf
    • http://colddiamnd.com/uploads/1/3/0/5/130550882/130550882.html#corrugated+galvanized+roofing+sheets
    • http://shadyblueamstaffs.com/uploads/1/3/0/3/130323592/p

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000160b.bin
c47df47261911fec2e9a8c1d10c18a6e306bafa367eea92f51b6ab41ad3fbe91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x160B 7616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.