Malicious PDF — malware analysis report

Static analysis result for SHA-256 b9273ba5482d8e9b…

MALICIOUS

PDF

45.0 KB Authoring application: Adobe PDF Library 9.0
MD5: ce551367e62a95c97081e4438c29fd24 SHA-1: d065df7fd72b3e2b1d2d239b05d1f885f8246e35 SHA-256: b9273ba5482d8e9bdb9b5035cc398c574b8c72b786fc9ca86a57c8664187c66b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links to various domains, identified by the PDF_SEO_LINK_FARM heuristic. The document body, while appearing to be a calendar, also contains embedded URLs that are part of this link farm. This behavior is indicative of a phishing or malware distribution campaign, aiming to redirect users to potentially malicious content hosted across these domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://1hrloan.com/uploads/1/3/0/6/130639251/manubenopifif_zadevevewuf_zusuk_xoroze.pdf
    • http://fryingpanfoodadventures.com/uploads/1/3/0/7/130776263/5ffe271b.pdf
    • http://sim-analytics.com/uploads/1/3/0/4/130476266/4486546.pdf
    • http://keithgaryproductions.com/uploads/1/3/0/6/130604348/722292.pdf
    • http://sligergames.com/uploads/1/3/0/7/130739253/bevovixurelabuvi.pdf
    • http://myoffgridpower.com/uploads/1/3/0/2/130287482/matuti.pdf
    • http://nuobeijing.devsite-1.com/uploads/1/3/0/2/130289386/130289386.html#blank+calendar+may+2019+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010e5.bin
da5998192e50d66019ed8fb6617ada55d298a268d9dfe44563ede4118608d63f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E5 8492 bytes
font_01_sfnt_off00005ea5.bin
0fa3c1ee0e0cf94184ae42d1d8f1f4700b85a2f2e670c9620d3610160696c22f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EA5 16724 bytes
font_02_sfnt_off00007551.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7551 2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.