Malicious PDF — malware analysis report

Static analysis result for SHA-256 c21c7d52c5586c6e…

MALICIOUS

PDF

47.4 KB Authoring application: PDFedit
MD5: cce623f2b19fc9b02701c535d57919df SHA-1: ded446771ff2889b2e2671469e796e2da3cdd22a SHA-256: c21c7d52c5586c6e30bf6778283c179c80890d3011be74bc89ffbe7a6cb41b6c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The critical PDF_SEO_LINK_FARM heuristic fired, revealing a mass of 21 embedded external PDF links, with the primary domain being wubiwajum.sparepartsjumberca.com. This suggests the document is designed as a lure to redirect users to a network of potentially malicious sites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wubiwajum.sparepartsjumberca.com/uploads/2020/01/28/bilara.pdf
    • http://kexig.rusfermer.info/uploads/2020/01/27/nugozede.pdf
    • http://dmicreativemanagement.com/uploads/1/3/0/6/130605019/fddde.pdf
    • http://artificialintelligence.fintecnet.com/uploads/1/3/0/6/130639661/nojojinideb.pdf
    • http://alfredspace.com/uploads/1/3/0/2/130273766/kinokom.pdf
    • http://bridgetgelms.com/uploads/1/3/0/2/130272384/9830664.pdf
    • http://kelseycurrent.com/uploads/1/3/0/3/130323220/59610.pdf
    • http://wepetuwu.tatarstan.travel/uploads/2020/01/28/cf0b0861.pdf
    • http://newenglandcanna.com/uploads/1/3/0/6/130604602/6658780.pdf
    • http://sittingtreefarm.com/uploads/1/3/0/4/130477492/dojefuwaxedawezu.pdf
    • http://attheedgedesign.com/uploads/1/3/0/6/130604934/xorovosebali.pdf
    • http://mtbakercrossfit.com/uploads/1/3/0/4/130483626/rapapabem_xidakibivodanan.pdf
    • http://mirrormirrorministries.com/uploads/1/3/0/5/130539981/7592213.pdf
    • http://swimleftlabs.com/uploads/1/3/0/4/130436389/4671600.pdf
    • http://thechairmansdaughters.com/uploads/1/3/0/4/130488286/8471421.pdf
    • http://dek.stay-famous.com/uploads/2020/01/29/c30be7e2.pdf
    • http://dakugavor.luadantuong.com/uploads/2020/01/27/4d2547539.pdf
    • http://promailboxetc.com/uploads/1/3/0/6/130621547/mowefinemoxomirebade.pdf
    • http://bovun.binturkey.club/uploads/2020/01/28/vefakedafege.pdf
    • http://0406shopps04.fun/uploads/2020/01/28/jigigagemom.pdf
    • http://tankingsresources.net/uploads/1/3/0/2/130270953/dapefawifeput.pdf
    • http://ankezimmermann.ca/uploads/1/3/0/5/130540814/130540814.html#brutal+doom+mac

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000160a.bin
fc60295cc3c3db11f95b2c56000243de4e97599ed4742caf6e8baa2a5c0c64c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x160A 8632 bytes
font_01_sfnt_off00007e55.bin
9edc51b0ecaddb7c52e0498f181aabc5b6c653ed7fe1e7a0bb91979c5f9339ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E55 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.