Malicious PDF — malware analysis report

Static analysis result for SHA-256 beb47f5e0aed4bcf…

MALICIOUS

PDF

74.0 KB Authoring application: Nitro PDF
MD5: cea4ba86903d6d4af06e33a8fa5ee389 SHA-1: 66063323eee3bb9c23870b916d8530d69af063d7 SHA-256: beb47f5e0aed4bcf546e76b539be686a2031bb89c07d97b7f3dafdf73f9cbf64
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file was identified as malicious by ClamAV and a machine learning classifier, exhibiting characteristics of a phishing campaign. The primary indicator is a large 'link farm' of embedded URLs pointing to external PDF documents, suggesting an attempt to redirect users to potentially harmful sites. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of specific lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://zendenmissoula.com/uploads/1/3/0/6/130621402/vumedopuvajas_zedidufuloj_murusolefobimo_xovapulaserixur.pdf
    • http://isabellemarcusauthor.com/uploads/1/3/0/3/130313673/tanivepag_wuzesez.pdf
    • http://127onyork.com/uploads/1/3/0/4/130435562/7357331.pdf
    • http://www.universalguardian.net/uploads/1/3/0/2/130273735/mutetokowugega.pdf
    • http://fast4wardmarine.com/uploads/1/3/0/5/130550663/kewamaketux.pdf
    • http://straitcycles.us/uploads/1/3/0/2/130288397/xugem.pdf
    • http://www.pingreehillprovisions.com/uploads/1/3/0/2/130271139/1c7899f4c8ba51.pdf
    • http://camping-graesselmuehle.de/uploads/1/3/0/2/130289019/perozugejitafowaf.pdf
    • http://webmail.shellysrockshop.com/uploads/1/3/0/2/130270994/823e869fb.pdf
    • http://gospelsupply.org/uploads/1/3/0/7/130775025/wusugamugexog-vujig-dujoxobi-befidirezamopo.pdf
    • http://nataliyatodorportfolio.com/uploads/1/3/0/4/130483753/zirivosozezanobokoli.pdf
    • http://myfujingarts.com/uploads/1/3/0/4/130488294/nigemutarat-kusude-bidofijis-tikokal.pdf
    • http://www.christiancoelho.com/uploads/1/3/0/6/130620399/nusamakebojazad_lujuvejupunamu_xosesisa_gafegaxaduxag.pdf
    • http://autodiscover.tatyanashealthblog.com/uploads/1/3/0/3/130313309/0006f5.pdf
    • http://blackmarigoldjewelry.com/uploads/1/3/0/2/130289663/lapopega_judapariwobu_zigabeliwit_tisur.pdf
    • http://richardmackson.com/uploads/1/3/0/8/130814200/budumidase_dazidaropub_gifazibezunosen_varunefaguvotis.pdf
    • http://saculled.store/uploads/1/3/0/7/130775834/0bf6d5956106.pdf
    • http://opensash.net/uploads/1/3/0/3/130323631/1233474.pdf
    • http://www.sheepi.ly/uploads/1/3/0/6/130640208/8443480.pdf
    • http://ideaincubator.co.uk/uploads/1/3/0/5/130543995/refanakowaku-wipurawugov.pdf
    • http://weebewhatever.com/uploads/1/3/0/7/130775211/8149873.pdf
    • http://ns.thegleasoncenter.com/uploads/1/3/0/7/130775525/8076602.pdf
    • http://joyfulheartarts.com/uploads/1/3/0/8/130813779/kugubomaveferi.pdf
    • http://3chairs.net/uploads/1/3/0/7/130775156/196d0.pdf
    • http://tuxedorentalsinnh.com/uploads/1/3/0/4/130475979/powukifevafen-sizesap-vutizoda.pdf
    • http://zephyrhome.com/uploads/1/3/0/7/130775501/130775501.html#amorphous+solids+are+isotropic+in+nature

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001b80.bin
9aa3062736146f1d710d93555b3ac5712ca7ea379711c6e01add22cc0bf08147		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B80 10172 bytes
font_01_sfnt_off0000d01a.bin
ac586abe5370001f1c1cffbd10a360c2c0bd224e9d7847d3c9f015e578e64b6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD01A 3732 bytes
font_02_sfnt_off0000dc49.bin
b3affdfdfee497c2d3230853582529cf395d265bfdbb8cde7d84ae9c33602211		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC49 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.