Malicious PDF — malware analysis report

Static analysis result for SHA-256 c13dea61f576b987…

MALICIOUS

PDF

36.8 KB Authoring application: PDFedit
MD5: ad92a812d43b40c02924d75781bd55e2 SHA-1: d071b73c2d8633b304e029abe3a53c92fedf5e27 SHA-256: c13dea61f576b98722ffff6432a6385d1e37f64fa7710b041a9a39342299774c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate maliciousness. The document body text is largely unreadable due to encoding issues, but the presence of URLs and the heuristic firings are sufficient to assess the attack pattern. The primary IOCs are the numerous embedded URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://nutejenubexejaf.weebly.com/uploads/1/3/0/2/130289154/7936139.pdf
    • http://kobawad.7x4.ru/uploads/2020/01/27/xixewi.pdf
    • http://noonsknives.com/uploads/1/3/0/5/130550830/zalijulutovo.pdf
    • http://mrptristan.com/uploads/1/3/0/6/130620836/kadezuxesozek-tavugudajuzotu-teforerodulup.pdf
    • http://geja.rockfanatics.com/uploads/2020/01/27/raseriwusix.pdf
    • http://wal.extrade.website/uploads/2020/01/29/soluwewadaj.pdf
    • http://usagaslogs.com/uploads/1/3/0/4/130476317/fufusejirel.pdf
    • http://rvaleasing.com/uploads/1/3/0/6/130621322/8977804.pdf
    • http://bluewingstudio.com/uploads/1/3/0/4/130476309/8919160.pdf
    • http://mupirola.copyrightcontact-1000002341578.com/uploads/2020/01/27/tejolebalifusisej.pdf
    • http://protechion.us/uploads/1/3/0/4/130490155/wojuroja.pdf
    • https://sasurejojutim.weebly.com/uploads/1/3/0/2/130270974/janozumomipi-kenezizadikezid-girutumora-dixopebarez.pdf
    • http://allieconradmedia.com/uploads/1/3/0/6/130639017/2945816.pdf
    • http://jovixarad.sekrie.ru/uploads/2020/01/28/tofadesogosisu.pdf
    • http://world-with-elegance.com/uploads/1/3/0/3/130313070/375197.pdf
    • http://misbailes.com/uploads/1/3/0/5/130543240/130543240.html#low+dose+aspirin+therapy+to+prevent+preeclampsia

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013f4.bin
d4e95aaab578c35af21ba5e7ea34d2800b3b80b00a48c1003f649b5f327c0922		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13F4 7212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.