Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7cecd916ba854a3…

MALICIOUS

PDF

67.7 KB Authoring application: Solid Converter PDF
MD5: aab44812e74a613fd74a914b6601942f SHA-1: 4b2025552997580b2c3586c3ec78f2d717d101a9 SHA-256: d7cecd916ba854a39db4ecf3385cd187b4a23c246fe32c1e4ef232aff79ae3dc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to other PDF files hosted on various domains. This suggests a phishing or SEO poisoning attack. The ML classifier and ClamAV detection strongly indicate malicious intent. No scripts were extracted from this sample, and the document body content is heavily obfuscated and unreadable.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.juniperfarm.us/uploads/1/3/0/5/130588846/nadofemekufuro_roxadejupogud_nunobibopiriw_vubigagobopopu.pdf
    • http://bigdipbirding.com/uploads/1/3/0/6/130620532/vanikabukajunogurag.pdf
    • http://goodkarmabaskets.com/uploads/1/3/0/4/130435738/5596973.pdf
    • http://premaconsulting.com/uploads/1/3/0/5/130590203/disawijir.pdf
    • http://iamallsmiles.com/uploads/1/3/0/6/130621905/lobapalom_wavimazejosofi.pdf
    • http://san69.com/uploads/1/3/0/5/130543386/f912fb657243da9.pdf
    • http://alloexo.info/uploads/1/3/0/7/130739904/bogemat-ridijofuxa-lonapa-lopuligagezuni.pdf
    • http://dhhomeconstruction.com/uploads/1/3/0/5/130550722/xedavajololafeg.pdf
    • http://mrsmauck.com/uploads/1/3/0/5/130551576/tabenijesufe.pdf
    • http://myleave.net/uploads/1/3/0/4/130476082/kedepuzajewojebipop.pdf
    • http://nedsystems.co.uk/uploads/1/3/0/6/130603747/7a85b2d9db3.pdf
    • http://berniesanderscomic.com/uploads/1/3/0/3/130323412/puluzo.pdf
    • http://thymeatthefarm.com/uploads/1/3/0/7/130776499/gurejet_wirazopetom.pdf
    • http://lbrb.info/uploads/1/3/0/3/130379457/2725257.pdf
    • http://atlantaasta.voyagerwebsites.com/uploads/1/3/0/6/130605515/130605515.html#vedas+with+meaning+in+hindi+pdf

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005efe.bin
ca889182d22413b1a5b6446cd5d954c095bfc2c8b2fec1022b19199100617195		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EFE 16028 bytes
font_01_sfnt_off00007319.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7319 1388 bytes
font_02_sfnt_off00007d82.bin
c8f7c40416324f2c17223bbfe0409fecffae67e809322a337a4cd04b5c85d800		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D82 18300 bytes
font_03_sfnt_off0000b051.bin
ea04a3ed0b26f1a51350d411b4f82b7f46b3655de8ee0dc5016bb9b84197bb81		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB051 8300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.