Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9003e7d05cc6058…

MALICIOUS

PDF

57.5 KB Authoring application: GIMP
MD5: c2faf61cebf8a052c9eba394563839c4 SHA-1: 0f125a240273526e675f600c5d0baf0db34f94fc SHA-256: b9003e7d05cc6058ca0ecd6a45ec6ca538552aaeddde94e056836599eee7ac4a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule, indicating a large number of embedded external links. The ML classifier also assigned a high probability of maliciousness. The embedded URLs are likely used to redirect users to phishing sites or download further malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.bethdixart.com/uploads/1/3/0/2/130287299/8b91cbbd647364c.pdf
    • http://abcofscotland.com/uploads/1/3/0/2/130288333/6169461.pdf
    • http://www.treptow.com/uploads/1/3/0/2/130291939/5656265.pdf
    • http://solutionfocusedtherapys.org/uploads/1/3/0/3/130323424/9221904.pdf
    • http://ponderosatree.com/uploads/1/3/0/3/130323535/c06ad13f.pdf
    • http://lucid-labview.net/uploads/1/3/0/7/130739777/865531a86c92ee4.pdf
    • http://supertoadrecord.com/uploads/1/3/0/6/130620982/saluketebaxug_mepin_kuxux_wevoxu.pdf
    • http://southernparadisecatering.com/uploads/1/3/0/8/130814241/fbd825.pdf
    • http://bergerondodgechryslerjeep.com/uploads/1/3/0/6/130604497/zejapukazalaxorima.pdf
    • http://deannagrant.com/uploads/1/3/0/6/130620520/nozawowelumurow_tididinadegafip_bojitot_zumuvegur.pdf
    • http://pursuitofcraftiness.net/uploads/1/3/0/8/130814226/957e43e57497c.pdf
    • http://jameswallach.net/uploads/1/3/0/6/130604487/5963006.pdf
    • http://www.mygas.vip/uploads/1/3/0/5/130538956/busituli.pdf
    • http://dcepool.org/uploads/1/3/0/8/130873906/rukum-dutozadobibo-nerajotepef.pdf
    • http://eachdayagift.com/uploads/1/3/0/6/130639404/voxunalupugadojimasi.pdf
    • http://buildingbrilliantmindsonline.net/uploads/1/3/0/7/130740232/c46d82ece.pdf
    • http://pediapeople.net/uploads/1/3/0/7/130776328/c6a7e.pdf
    • http://norcal-cre.com/uploads/1/3/0/5/130544232/xujokikulalumumogas.pdf
    • http://taurusbulldesigns.com/uploads/1/3/0/3/130379415/zokajurira_xenuziboregew.pdf
    • http://linden58.pleasingfood.com/uploads/1/3/0/6/130639117/130639117.html#medieval+indian+history+objective+questions+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001418.bin
cc81c1267baf8627a8ed41d0c93fe6cc48263daf9d8e453dda4c8c9c4e9ca95d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1418 8076 bytes
font_01_sfnt_off00008f0b.bin
06cb0e9edaca7caa1c7d4c65ad1576a8496232ae9708ee1d3b6149f9a0e3d8d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F0B 10512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.