Malicious PDF — malware analysis report

Static analysis result for SHA-256 d60c07c7e3ea9885…

MALICIOUS

PDF

43.3 KB Authoring application: pdf-parser
MD5: c9fa7f1a2ebb0909a2b63af6323853d0 SHA-1: a32c59cdb1d9f8fbd0ab6435b8b578907720fbce SHA-256: d60c07c7e3ea98853b98a064757140ac3ecf03726308ca8a5d4b31155eaf1e73
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a phishing or redirection campaign. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though partially corrupted, contains text related to hacking Android games and includes several of the malicious URLs, reinforcing the phishing lure. The primary attack pattern involves directing users to a network of suspicious PDF files hosted on various domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://countingwithelliot.com/uploads/1/3/0/7/130738503/zewojisowowigelew.pdf
    • http://drivelifewild.com/uploads/1/3/0/4/130478438/a2592ac82b9d.pdf
    • http://michaelpetersenphotography.com/uploads/1/3/0/5/130589083/4bdc83b1.pdf
    • http://radiodagen.nl/uploads/1/3/0/7/130775427/5856774.pdf
    • http://wutixag.svd58.ru/uploads/2020/01/29/8195907.pdf
    • http://istartlocal.net/uploads/1/3/0/7/130738568/pabapenu.pdf
    • http://duza.wiki-compac.info/uploads/2020/01/29/3a6c7b836842.pdf
    • http://lune-blanc.com/uploads/1/3/0/5/130590143/dixinidujujowe.pdf
    • http://mikaren.com/uploads/1/3/0/7/130740514/3565167.pdf
    • http://mikeintucson.com/uploads/1/3/0/3/130323109/130323109.html#can+online+android+games+be+hacked

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011fe.bin
f2925f002569e2916b7ab61520b71ea3ddf1acdf66781ed392b033c47634df59		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11FE 8232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.