Malicious PDF — malware analysis report

Static analysis result for SHA-256 d97865d20cc4dce4…

MALICIOUS

PDF

68.3 KB Authoring application: Scribus
MD5: af12fc22a3d053bf251353c7440d7d88 SHA-1: ccf1dd146f37b4dbcae821d8ded31d69fb2cbbba SHA-256: d97865d20cc4dce4e23340d28090d0511b85ab0450011939c0654ea49c827185
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The PDF_SEO_LINK_FARM heuristic fired due to the presence of 31 external links, with the primary domain being fuzufomat.planbani.ru. The document body also contains numerous URLs, reinforcing the finding of a link farm. This suggests the document is designed to redirect users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fuzufomat.planbani.ru/uploads/2020/01/27/kivutaxabavejija.pdf
    • http://shockwavesupport.net/uploads/1/3/0/4/130490218/c5ad724e2fc.pdf
    • http://gepe.vrkuzbass.online/uploads/2020/01/28/dcd5a.pdf
    • http://swampersoriginal.com/uploads/1/3/0/2/130272470/3145998.pdf
    • http://kofome.dermashop.tech/uploads/2020/01/28/ritevexutebubeguraz.pdf
    • http://ms-pollack.com/uploads/1/3/0/6/130639440/53fdbf.pdf
    • http://solarlandscapes.net/uploads/1/3/0/3/130323127/pebep_javasu_pogolekadej.pdf
    • https://guwogifofifen.weebly.com/uploads/1/3/0/3/130323836/52483a71f06d33d.pdf
    • https://xifajiwuganar.weebly.com/uploads/1/3/0/6/130605074/2187973.pdf
    • http://tripsyoudesire.com/uploads/1/3/0/2/130289741/2051494.pdf
    • http://ximitames.paradise-hotel.ru/uploads/2020/01/29/af2a2412cbf585.pdf
    • http://becomeroyalty.org/uploads/1/3/0/6/130604034/7254939.pdf
    • http://clodiaporteous.info/uploads/1/3/0/4/130435619/lasizubuzu.pdf
    • http://baf.sietmexico.com/uploads/2020/01/28/aa183897e.pdf
    • http://openaclothingstore.weebly.com/uploads/1/3/0/6/130604682/zepito-lulevet-tikudanexega.pdf
    • http://jesseswarriors.com/uploads/1/3/0/6/130605034/4195840.pdf
    • http://antoshka24.info/uploads/2020/01/27/magod_kubezofu_sujewudi.pdf
    • http://emilydelbridge.com/uploads/1/3/0/6/130620628/6050410.pdf
    • http://airguardian3.com/uploads/1/3/0/6/130620794/5348765.pdf
    • http://tet.betterqualityreviews.com/uploads/2020/01/29/zokavunuloguz.pdf
    • http://gasoti.your-ra.ru/uploads/2020/01/27/konovupozetofapibe.pdf
    • http://gidekawoz.espressoplanner.com/uploads/2020/01/28/e99b1.pdf
    • http://rabbitmountainlavender.com/uploads/1/3/0/4/130476102/5502910.pdf
    • https://movabizuden.weebly.com/uploads/1/3/0/2/130274032/61c6a.pdf
    • http://kylaconner.com/uploads/1/3/0/4/130476589/130476589.html#google+certified+android+tv+box+india

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000181d.bin
31fcf55a13409948c02b9ed1b5ed2c85f13d7b46ef2618ecf6921f02abca4a3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x181D 8980 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.