Malicious PDF — malware analysis report

Static analysis result for SHA-256 c942c6ca0f90bb4b…

MALICIOUS

PDF

43.7 KB Authoring application: PDFBox
MD5: ca143499368cfda62f5b5419c04b8fdc SHA-1: 9cdfb2c368ae59a8ea95683250161936fe0d4fa1 SHA-256: c942c6ca0f90bb4bf53bd4f08441e551c147f3576accf093258cbbedea8212fd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic 'PDF_SEO_LINK_FARM' indicates the document's primary purpose is to host a large number of external links, directing users to various PDF files on different domains. No scripts were extracted from this sample, and the document body contained mostly obfuscated or irrelevant text, reinforcing the focus on the embedded links as the attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://crowdrisediy.com/uploads/1/3/0/4/130483492/bbee807b946819.pdf
    • http://commerce-runningabusinessunit.com/uploads/1/3/0/5/130539074/5703557.pdf
    • http://crosshopefellowship.org/uploads/1/3/0/5/130551770/e98653e49b774ce.pdf
    • http://desatascosmaresme.com/uploads/1/3/0/5/130551971/nedujeminani_zanivuloxajes_boxusuzaruto.pdf
    • http://australiandiamondssports.com/uploads/1/3/0/6/130639335/xodevuni.pdf
    • http://jamexipis.klopus.ru/uploads/2020/01/28/5933415.pdf
    • http://pakalolochocolate.com/uploads/1/3/0/6/130604342/zaxex.pdf
    • http://teaalchemymelbourne.com/uploads/1/3/0/5/130588822/jijuxiliv.pdf
    • http://dalotyn.store/uploads/1/3/0/4/130476700/4522ff173b2.pdf
    • http://robbenoptics.com/uploads/1/3/0/5/130543092/852042122a6ca.pdf
    • http://lehighvalleybarbell.com/uploads/1/3/0/4/130476045/puwiweki.pdf
    • http://thesingbabysingshow.com/uploads/1/3/0/2/130272319/130272319.html#seascape+with+sharks+and+dancer+play

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001314.bin
1c4c8824fbdaaf7f2ba4f319528a2002323763d63524d25776f2e66eb9aa35fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1314 8556 bytes
font_01_sfnt_off000062ea.bin
0bcb8714eeee09f3a0b97cfa4268358194ea58a2d09b0ea1e98cdb863a7a445a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62EA 16404 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.