Malicious PDF — malware analysis report

Static analysis result for SHA-256 c1442a95ca0dcf68…

MALICIOUS

PDF

41.4 KB Authoring application: Serif PagePlus First seen: 2020-12-25
MD5: 5f657d32ac87d838f1d1bd75b563fe21 SHA-1: 6bba432c05a084e189b91ba8509ea5f4683ecd17 SHA-256: c1442a95ca0dcf687c3485e04ec47024ccf8a5d4f1f487ce67ebb5d7d81d2e7f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The embedded URLs are likely part of a campaign to distribute further payloads or conduct phishing operations.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bestofthewestmoving.com/uploads/1/3/0/5/130543148/depuf.pdf In PDF document text
    • http://soloptometry.com/uploads/1/3/0/5/130588294/0f52503060557.pdfIn PDF document text
    • http://woodlandstuition.com/uploads/1/3/0/6/130639269/gamolevaroli.pdfIn PDF document text
    • http://safecleanasc.com/uploads/1/3/0/5/130538869/jipexa.pdfIn PDF document text
    • http://vegasvoicelessons.com/uploads/1/3/0/5/130589243/05c44ce5819.pdfIn PDF document text
    • http://newstokenpool.com/uploads/1/3/0/7/130738754/4484910.pdfIn PDF document text
    • http://charismasifferman.com/uploads/1/3/0/4/130475966/niripifegot_loripijata_fupikigume_vusidojefisu.pdfIn PDF document text
    • http://midlandareahomes.org/uploads/1/3/0/6/130620509/b82c829d.pdfIn PDF document text
    • http://nova-hall.com/uploads/1/3/0/6/130621298/jigevesikusuw.pdfIn PDF document text
    • https://gutuwofugojo.weebly.com/uploads/1/3/0/6/130603906/9876038.pdfIn PDF document text
    • http://returnoninitiative.us/uploads/1/3/0/6/130620503/196349.pdfIn PDF document text
    • http://reachlearning.net/uploads/1/3/0/5/130550722/sokemabezakupuw-tawabotifuses-tadimanadejufuf.pdfIn PDF document text
    • http://asociacionperiodistaspr.org/uploads/1/3/0/5/130540010/130540010.html#que+es+un+generador+hidraulicoIn PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013a3.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x13A3 9672 bytes
SHA-256: 9c03f9f19599cc77b534a64371ebb3a781d19845115a6b0843a60b3c6dd09bb7

Open this report in the interactive analyzer, or submit your own file for analysis.