Malicious PDF — malware analysis report

Static analysis result for SHA-256 baacf659e2e8b2b8…

MALICIOUS

PDF

60.9 KB Authoring application: Adobe PDF Library 9.0
MD5: 17f6b4fc26db59f2ee07770166949d6c SHA-1: 6323b5f39c7a602974f4cde20c4a294368b73264 SHA-256: baacf659e2e8b2b8bc25cfcc3f771afe267f7527538e5db457e5990335ab096a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to external PDF documents, a technique often used for SEO poisoning or to redirect users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs are the primary indicators of compromise, suggesting a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://aakyoga.com/uploads/1/3/0/5/130551179/4265587.pdf
    • http://walipijo.instalm.com/uploads/2020/01/28/2692602.pdf
    • http://audreylewisinteriors.com/uploads/1/3/0/2/130270938/boninitexuzoma.pdf
    • http://16365redington.com/uploads/1/3/0/5/130539888/8734520.pdf
    • https://wulewesag.weebly.com/uploads/1/3/0/3/130379110/6601995.pdf
    • http://oregonabslearningstandards.org/uploads/1/3/0/6/130639026/d1c64dc.pdf
    • http://consultoriaconsciente.com/uploads/1/3/0/2/130289019/e425d3652.pdf
    • http://perceptualteaching.org/uploads/1/3/0/2/130287482/bojafimeme.pdf
    • http://cninc.org/uploads/1/3/0/5/130550985/rikilulakefag.pdf
    • http://economicstitan.com/uploads/1/3/0/5/130543158/130543158.html#list+of+english+words+of+arabic+origin+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00008a39.bin
d3443b3a44b454ab03616c0d5649cea6cd1e1d63c262a511794f2d90eac9a24a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x8A39 30368 bytes
font_00_sfnt_off00001286.bin
2f390462df3bcb5194f3f0c90c298f108a459f6add1fd0306ad42700a667b54b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1286 9700 bytes
font_01_sfnt_off00007a8f.bin
9fc605526dbcbd0eb4f0ba7e7fd085233e1268aca2ce6815d8c69a0c2e9aa7b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A8F 3340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.