Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0690fd6f4e6cd59…

MALICIOUS

PDF

39.4 KB Authoring application: Adobe PDF Library 9.0
MD5: ef462331999bb6258e4ec0d64e357b93 SHA-1: e9b999b0466c6cdc4eb613e1e95b576f9e63b73f SHA-256: e0690fd6f4e6cd59fff18211c432a44234892b9548fae22d884a042bd738c5d3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for malicious content, as suggested by the 'PDF_SEO_LINK_FARM' and 'ML_NYX_PDF_MALICIOUS' heuristics. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. The primary attack pattern involves directing users to a multitude of external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lupe.finresult.com/uploads/2020/01/28/tejozusa-botutubuwa.pdf
    • http://solebait.com/uploads/1/3/0/5/130590567/luxot_jutikeze_tofufoxalij_sagaxuvavomaje.pdf
    • http://happyfamilyhealthyhome.com/uploads/1/3/0/5/130589230/nizigaw.pdf
    • http://mpunlimited.com/uploads/1/3/0/2/130289592/vowudewava.pdf
    • http://binaryforexbrokers.net/uploads/1/3/0/6/130605412/bodelusadiwipe-pozifepet-damaxewu.pdf
    • http://mondokdentalimplantsmexico.com/uploads/1/3/0/6/130639559/884297.pdf
    • http://360kirk.com/uploads/1/3/0/4/130476221/fuvunipefalakat-xosuguligaru.pdf
    • http://novasparockyhill.net/uploads/1/3/0/5/130551839/5c45bf6d7.pdf
    • http://moabrecycles.com/uploads/1/3/0/6/130621593/risawibo-vuzenafixul-detotemejarujig.pdf
    • http://drjosephetrezza.com/uploads/1/3/0/6/130604882/kodeso.pdf
    • http://sim.pcigra.ru/uploads/2020/01/27/dejajedebibegapig.pdf
    • http://natutule.o-tender.ru/uploads/2020/01/27/dopemisaginaked.pdf
    • http://hydfoodreview.com/uploads/2020/01/27/zokuz-maxaran-pufuxipo-fugewalivewisi.pdf
    • http://xojurefor.autogost.com/uploads/2020/01/28/9125149.pdf
    • http://captivated.blog/uploads/1/3/0/6/130639679/xumavalopujud-zimumunijeg.pdf
    • http://northsidegurlcosmetics.com/uploads/1/3/0/4/130483110/2469144.pdf
    • http://xebox.bpthere.club/uploads/2020/01/28/tiwolawowedus.pdf
    • http://fadunagik.melikset.ru/uploads/2020/01/27/tegidesij.pdf
    • http://sogaka.serdyukov.pro/uploads/2020/01/28/lusulemi.pdf
    • http://danfodiolaw.com/uploads/1/3/0/6/130604710/8597558.pdf
    • http://stokesed508webpage.com/uploads/1/3/0/6/130639651/130639651.html#android+developer+key+skills

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017fa.bin
5da55a58618cbd8bdc067f6a279faa4094ed8028b978a2d8a5f5ea427acb2d36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17FA 8672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.