Malicious PDF — malware analysis report

Static analysis result for SHA-256 c331b0356d72bc6a…

MALICIOUS

PDF

42.1 KB Authoring application: PDF Studio
MD5: 1dec10bf55cbc32904f9966a2a8746c0 SHA-1: f1a702f61dc282dd663f2c1c6e1769f301b57397 SHA-256: c331b0356d72bc6a67a64a9e1e32fa99b25c3e70863f317447ab4466dfa20728
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, a common technique for SEO poisoning and phishing. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs likely lead to further malicious content, such as phishing pages or malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://purgatoirevalleyfoundation.org/uploads/1/3/0/7/130740097/nesijuzedureguge.pdf
    • http://biodanzadanmark.dk/uploads/1/3/0/5/130550813/78523e7a0203d8.pdf
    • http://thecodefitness.org/uploads/1/3/0/5/130544625/2140396.pdf
    • http://www.cantonchurches.org.uk/uploads/1/3/0/6/130605358/vavusiz_fasijoxudoxi_tavojun_nujevajowoxivib.pdf
    • http://shopwithkingwalker.com/uploads/1/3/0/6/130622033/8293070.pdf
    • http://fehalbat.fr/uploads/1/3/0/7/130738921/gonikijoxumotun.pdf
    • http://liberationliving.com/uploads/1/3/0/6/130621746/pimekojo.pdf
    • http://sallyandalexander.com/uploads/1/3/0/6/130604210/jakez_bokinemizaxim_nafudena.pdf
    • http://flouroessence.com/uploads/1/3/0/9/130969950/tejewixesezifamafati.pdf
    • http://nowhererd.com/uploads/1/3/0/6/130621450/ba3f5549353e9e.pdf
    • http://musmuin.com/uploads/1/3/0/6/130605204/nekugozofam.pdf
    • http://internetradiochat.com/uploads/1/3/0/4/130483806/7146e2353.pdf
    • http://mrsdsmithsthirdgrade.com/uploads/1/3/0/2/130272985/filofo_gufoxevute_gozaxix_felemusil.pdf
    • http://graemedee.com/uploads/1/3/0/4/130488073/dofedenilobef_mebeva_koburumej_vajivelake.pdf
    • http://westcoastpawstransport.com/uploads/1/3/0/5/130540182/32c3df.pdf
    • http://studioksandb.com/uploads/1/3/0/5/130543210/wajavufegixa.pdf
    • http://bearcarpentryandremodeling.com/uploads/1/3/0/6/130603811/dewujoxufonatekubir.pdf
    • http://93ugs.salon225.com/uploads/1/3/0/3/130379205/130379205.html#deadlift+program+reddit+powerlifting
    • http://www.cantonchurches.org.uk/uploads/1/3/0/6/130605358/vavusiz_fasijoxudoxi_tavojun_n

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000047b2.bin
d88af9f1e4450ee791fff1f7eb0f272421c24f97b3c22b2ba307cf8009fecba3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x47B2 8024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.