Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc0330bb7bd93e4c…

MALICIOUS

PDF

62.1 KB Authoring application: Adobe PDF Library 9.0
MD5: cac4373093c8b44bc58f9960722c3ca7 SHA-1: fe7271cfd2b27d3053522b2578801c1c73b85bf0 SHA-256: cc0330bb7bd93e4c65cce1eda63800b7b0902fa73a6813f13d5ab458bc65d84f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to other PDF files hosted on various domains. This behavior is indicative of a link farm or SEO manipulation tactic, likely intended to drive traffic or distribute further malicious content. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-7652373-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-7652373-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://static.ahcnm.org/uploads/1/3/0/6/130639608/4582035.pdf
    • http://acceleratecleaning.com/uploads/1/3/0/2/130271098/8dc1b0.pdf
    • http://cad-drafting.net/uploads/1/3/0/6/130621280/3552653.pdf
    • http://emmycodes.com/uploads/1/3/0/7/130738803/miluzidetoriro.pdf
    • http://thwgl.bpmtc.com/uploads/1/3/0/5/130544953/372728.pdf
    • http://youcanownbaltimore.com/uploads/1/3/0/3/130323767/1812262.pdf
    • http://cookielovecustomsugarcookies.com/uploads/1/3/0/7/130776074/lupofokanum.pdf
    • http://www.facebookpostingmadeeasy.com/uploads/1/3/0/8/130873802/wobusonawisotukur.pdf
    • http://nrmorenorealtor.com/uploads/1/3/0/8/130814245/tavamigitodaxakolud.pdf
    • http://maxsocialsecurityforlife.com/uploads/1/3/0/5/130590443/bavipep-nopotudo-bibatef.pdf
    • http://waea.net/uploads/1/3/0/6/130620613/vovalevidat.pdf
    • http://justinbdennis.com/uploads/1/3/0/4/130436271/7d7afaa.pdf
    • http://www.generaldiversity.com/uploads/1/3/0/6/130620835/8d13edc4f.pdf
    • http://44michigan.com/uploads/1/3/0/6/130639875/xedolizavizen.pdf
    • http://tripvector.org/uploads/1/3/0/2/130289045/bofaxirupiwusabi.pdf
    • http://my-mindful-mind.com/uploads/1/3/0/4/130483510/janolefulu.pdf
    • http://www.serviziopublicating.com/uploads/1/3/0/6/130640218/firubejosu.pdf
    • http://windows-defender.com/uploads/1/3/0/7/130740330/130740330.html#achyutam+keshavam+krishna+damodaram+bhajan+lyrics+in+hindi

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c5a.bin
1cbcc6ccb4c0e39095e587a84d88e28c288fced985aab23597519fc935a1653b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C5A 1428 bytes
font_01_sfnt_off00005646.bin
f28e81d4e523175b9333fbe4be8c01c6a4460f2da0f84e0f7eae969f7a7e4701		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5646 15408 bytes
font_02_sfnt_off00007e77.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E77 16204 bytes
font_03_sfnt_off00009676.bin
d5080aafa8cd544d84f13423eb5ac48a02b5d9027590362fb8dc617921bb7548		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9676 8072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.