Malicious PDF — malware analysis report

Static analysis result for SHA-256 d0ade5b152c06b7d…

MALICIOUS

PDF

45.9 KB Authoring application: GIMP
MD5: cc24b8334e8975a03bf360e2f8268f1c SHA-1: 9cb5e4a36cde5a0396cf2959f74461cb5e11036f SHA-256: d0ade5b152c06b7d70316c96607eb389e81d7c11465786504c12f359aab6a32d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs pointing to other PDF files across various domains, indicative of a link farm or a distribution mechanism for malicious content. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution. No scripts were extracted, limiting the analysis of direct execution capabilities.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://selfdomination.com/uploads/1/3/0/6/130621038/6b489ba6bd410aa.pdf
    • http://www.norfolkorientaldance.org.uk/uploads/1/3/0/6/130603769/194712.pdf
    • http://www.thetrinitythree33.com/uploads/1/3/0/7/130740414/xekabapetezi_soroxibupaku_nirikapuz_lekitaxoribumo.pdf
    • http://outdoorseconds.co.za/uploads/1/3/0/2/130288626/7122607.pdf
    • http://nhbea.com/uploads/1/3/0/3/130379461/9866274.pdf
    • http://nightowlcraftery.com/uploads/1/3/0/8/130814858/gemoji.pdf
    • http://bataviagameon.com/uploads/1/3/0/6/130605040/lanulukagofek.pdf
    • http://webmail.partytimeofcourse.com/uploads/1/3/0/5/130543740/337417.pdf
    • http://dermaoptika.com/uploads/1/3/0/2/130270740/timafato-vuxikukurolila-vujemolutawadev.pdf
    • http://123poopitout.com/uploads/1/3/0/2/130272231/1864811.pdf
    • http://masterdoeuvre.com/uploads/1/3/0/6/130604102/9335487.pdf
    • http://amazoningleads.com/uploads/1/3/0/7/130738936/kixenubel_sowomaxo_munilul.pdf
    • http://www.julietrialsite.com/uploads/1/3/0/5/130543320/61fecd29d.pdf
    • http://www.target.jropro.com/uploads/1/3/0/4/130476548/be311b7fc9a5.pdf
    • http://nashsveggies.com/uploads/1/3/0/5/130540009/jovomenu.pdf
    • http://midcountydentalcare.com/uploads/1/3/0/4/130477890/660928.pdf
    • http://trophyspace.net/uploads/1/3/0/6/130639148/54af343ea047b.pdf
    • http://moodish.org/uploads/1/3/0/2/130287284/a38d048c356.pdf
    • http://vonraesfeld.com/uploads/1/3/0/3/130323733/4390255.pdf
    • http://britishrevival.com/uploads/1/3/0/6/130639705/dufamoditeku_dolokifuv_xopisakiloki.pdf
    • http://mfgcsi.com/uploads/1/3/0/3/130313090/jizegapobomoli_kedik_mijofuw.pdf
    • http://fr.hoolants-beton.com/uploads/1/3/0/3/130324227/zedivifalimeteziw.pdf
    • http://aomenduchangeluosizhuanpan.br3h.com/uploads/1/3/0/9/130969624/130969624.html#elaichi+in+english

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004164.bin
d0399f95c308985983b3b72366763e0b7880050dd177b75ff6b7be8b42b4ca2f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4164 7888 bytes
font_01_sfnt_off00005c3e.bin
dff48c9efea295fddc027f0dcd69baef71c9997637ef558772d3cbed2411a5eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C3E 6728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.