Malicious PDF — malware analysis report

Static analysis result for SHA-256 da3f8b75f470e03f…

MALICIOUS

PDF

41.6 KB Authoring application: QPDF
MD5: 1830615b8b2318863843e9e6a970fb62 SHA-1: 7c17c0f75d7968410060d5ade6cfaef45a3702a3 SHA-256: da3f8b75f470e03f87d3f3c8f4f18183d8009a9ed1cf27e52ee082547d29b28e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded external links, as detected by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a tactic to manipulate search engine results or distribute malicious content. The ML classifier and ClamAV detection further support its malicious nature, flagging it as phishing or a downloader. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://boominworld.com/uploads/1/3/0/5/130550749/petuselufidugukab.pdf
    • http://carpetcleancary.com/uploads/1/3/0/5/130539128/1285733.pdf
    • http://simplyessentiallife.com/uploads/1/3/0/6/130620910/xovef.pdf
    • http://pejikezim.homka.online/uploads/2020/01/27/medizatijig-gulojedejix-karikinoze-wukupavupinine.pdf
    • https://tovalopomep.weebly.com/uploads/1/3/0/6/130605258/6054501.pdf
    • http://thecannabiscusine.com/uploads/1/3/0/6/130621826/e56946c.pdf
    • http://thejoyofjob.com/uploads/1/3/0/3/130312926/3319110.pdf
    • http://showdownvapor.com/uploads/1/3/0/6/130639591/pogupaxilawivokozo.pdf
    • http://sunsetsailkeywest.co/uploads/1/3/0/5/130588586/supekuf-gepitelen-dunogurikal.pdf
    • http://nationwidehealthgroup.com/uploads/1/3/0/6/130621642/vimakimolun_pitasufaxeg_guribowowerojez_sivitowarolaka.pdf
    • https://welexuzofom.weebly.com/uploads/1/3/0/2/130272579/7645995.pdf
    • http://remont-msk8.icu/uploads/2020/01/28/6495500.pdf
    • http://airscrubbersales.com/uploads/1/3/0/4/130488580/volemelirevixax_vujeben_sevobonujid.pdf
    • http://rus-snow.ru/uploads/2020/01/28/2e399.pdf
    • http://dapulo.good-power.ru/uploads/2020/01/29/1601964.pdf
    • http://fiz.kformacion.com/uploads/2020/01/27/funesuse-tufigilijukozak.pdf
    • http://babuni.ca/uploads/1/3/0/4/130483858/9854501.pdf
    • http://dedawu.rybalkavideo.info/uploads/2020/01/28/bomibibewu_falozamotifibos.pdf
    • http://adoptme.info/uploads/1/3/0/6/130603944/130603944.html#weather+forecast+report+mussoorie+uttarakhand

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005822.bin
c0639cb816e645eccda2c698dc02f9fc88dede78922e728b2b6295cbb5d18765		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5822 16768 bytes
font_00_sfnt_off00001753.bin
c883e08d35b3440aaa8648b1726cd2b489b5a42a61d415b5f5b3574f9bd25d72		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1753 8008 bytes
font_01_sfnt_off00004f19.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4F19 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.