Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9f85f4058a5990d…

MALICIOUS

PDF

39.5 KB Authoring application: Smallpdf Desktop
MD5: e59600a29f56571def5b882c71495697 SHA-1: fc583589247320215272aaf81e9f23e978821744 SHA-256: d9f85f4058a5990d8b8b84fc78dcc99fde9b71859ef601fa1ed95b34380bd0dc
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as flagged by the PDF_SEO_LINK_FARM heuristic and ClamAV detection. The ML classifier also strongly indicated maliciousness. No scripts were extracted from this sample, and the document body was truncated and uninformative.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://remotedatabaseadministrators.com/uploads/1/3/0/3/130313346/dinozuwabafajuk-vuvel-jawirukofewatif-maxivenaxejegut.pdf
    • http://simplyinspiredwords.com/uploads/1/3/0/5/130539105/jipitemidu.pdf
    • http://mymobilephysio.com/uploads/1/3/0/6/130639743/600817.pdf
    • http://mikescottthomson.com/uploads/1/3/0/6/130603688/1726054.pdf
    • http://patricialeiii850916.com/uploads/1/3/0/7/130740264/vanepozowugakoz-xujulefe-lopadiluse-pezidavaxerolum.pdf
    • http://desatascosmolletdelvalles.com/uploads/1/3/0/6/130621867/bopelujewake.pdf
    • http://quickcontacts.com.au/uploads/1/3/0/5/130590036/gejinum-sojagizalit-wutoma-pixivevivefuxu.pdf
    • http://serdogan.com/uploads/1/3/0/4/130483983/vukep_lamurodujuxogid.pdf
    • http://dantothofficial.com/uploads/1/3/0/6/130620627/e197d5.pdf
    • http://keeley-smith.com/uploads/1/3/0/6/130620240/radedozirupedat-bamupolanebe-pokilorusukulek-sumeli.pdf
    • http://movies-music-and-games.com/uploads/1/3/0/7/130739452/4845296.pdf
    • http://davidra.net/uploads/1/3/0/5/130588333/9354609.pdf
    • http://misfotografie.de/uploads/1/3/0/2/130274145/pawunuk-satox-fajutujozo-rajabuzolekegi.pdf
    • http://videogametheology.com/uploads/1/3/0/5/130589429/wevojimikikeg.pdf
    • http://laboniteca.com/uploads/1/3/0/2/130288448/9e316191c.pdf
    • http://matchnrhyme.net/uploads/1/3/0/4/130483634/775265.pdf
    • http://daphneravey.com/uploads/1/3/0/5/130539414/megetamekogisir.pdf
    • http://moannasworkroominteriorsandstaging.com/uploads/1/3/0/2/130272330/806dd33ddf4a97.pdf
    • http://sully-location.ch/uploads/1/3/0/7/130740610/xezafamugodoro.pdf
    • http://fishonarkansas.com/uploads/1/3/0/7/130740213/4986798.pdf
    • http://mcmwebbuilder1.devsite-1.com/uploads/1/3/0/8/130815213/130815213.html#arduino+mega+2560+rev3+pins
    • http://keeley-smith.com/uploads/1/3/0/6/130620240/radedozirupedat-bamupolanebe-pokilorusukulek-sumeli

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000388f.bin
8b6e7cf298df645ec8573599793acd5de0407af429efeab8cff095598967deb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x388F 8516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.