Malicious PDF — malware analysis report

Static analysis result for SHA-256 be213c9d90154abe…

MALICIOUS

PDF

33.5 KB Authoring application: GIMP
MD5: 347ef724121cfb77bc30fc029f0e03f5 SHA-1: f3dd04795491c8d5a60118036e594f2953d8193d SHA-256: be213c9d90154abebce50f3df0d14bef4a3e12a3ea3c441529f731f97b9186c5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a method to distribute malicious content indirectly. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution. No scripts were extracted, limiting the analysis of direct execution capabilities.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ncmodern.com/uploads/1/3/0/5/130538923/perukoxevenixobo.pdf
    • http://bluemonstercellars.com/uploads/1/3/0/7/130776025/rakojanamowofadita.pdf
    • http://crownemarketgroup.com/uploads/1/3/0/6/130621601/3279912.pdf
    • http://bodybydrea.net/uploads/1/3/0/5/130543310/bakidemokelufax-molinujovo-xezodejufojo-pexepefojijati.pdf
    • http://darcyrylander.com/uploads/1/3/0/2/130288939/futot_zuxabarow.pdf
    • http://karasholtz.net/uploads/1/3/0/4/130488888/wififebilopa.pdf
    • http://clkdesign.ca/uploads/1/3/0/6/130621666/dojujomulel.pdf
    • http://soilnstruments.com/uploads/1/3/0/4/130488993/jupaxarefosaboni.pdf
    • http://shaakirasharifeducationalpsychologyandtechnologyprogram.com/uploads/1/3/0/5/130539797/sijuxijub.pdf
    • http://nicholasruscettaart.com/uploads/1/3/0/7/130739150/fowezapipulisuvape.pdf
    • http://finan.activityedge.com/uploads/2020/01/28/4ef9e375f.pdf
    • http://cementfab.com/uploads/1/3/0/4/130475939/130475939.html#solved+comprehensive+project+of+accounts+for+class+12+pdf+download

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001330.bin
8425c69e39aaf4d8bcff8880e6548116c5623b55f7e0b664b553cc53af865394		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1330 7672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.