Malicious PDF — malware analysis report

Static analysis result for SHA-256 e178ebecc47747f0…

MALICIOUS

PDF

39.4 KB Authoring application: Poppler-utils First seen: 2020-09-24
MD5: 070fceda724162ba1beb82e69b710a4d SHA-1: 52c5a2254d2fdfcbee79a0d9df23f6c0201ce8b5 SHA-256: e178ebecc47747f0fa6e6110d816f3073c0e8438030c62d4f1d533f9176a9da9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. The PDF_SEO_LINK_FARM heuristic identified a mass of external PDF links, with the primary domain being mochapter7.com. The embedded URLs suggest a link farm designed to distribute malicious content or redirect users to phishing sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mochapter7.com/uploads/1/3/0/7/130740450/71fb3f45470.pdf
    • http://hollowaybrownlifegroup.org/uploads/1/3/0/7/130775257/gageg_gegilezosubovi_zuwebu.pdf
    • http://milescan.com/uploads/1/3/0/8/130874099/domorozuzi-guguvifelanafu-papon.pdf
    • http://johnsteinman.net/uploads/1/3/0/3/130324047/5817058.pdf
    • http://www.megan-keir.com/uploads/1/3/0/5/130551581/8594949.pdf
    • http://myfiestaofeight.com/uploads/1/3/0/5/130589250/wijopusitokumilil.pdf
    • http://youmakeitibreakit.com/uploads/1/3/0/4/130483086/4761246.pdf
    • http://happyplanetproject.org/uploads/1/3/0/7/130738823/rusakimi_kudefimozenu_nopivitiso_kumowasow.pdf
    • http://verifiedoverviws.com/uploads/1/3/0/5/130551257/3fa9da6.pdf
    • http://ncmusictherapy.org/uploads/1/3/0/6/130603861/9260323.pdf
    • http://everettgroupconsulting.com/uploads/1/3/0/3/130379096/kovosorusafew.pdf
    • http://ashtaashram.com/uploads/1/3/0/5/130543784/0879d80fbe4ef54.pdf
    • http://corazondemujer.net/uploads/1/3/0/3/130379596/ketor.pdf
    • http://stormdrinker.com/uploads/1/3/0/4/130483507/dekubufimoduvexir.pdf
    • http://styer-fitzgerald.net/uploads/1/3/0/6/130621815/dileraporosaworaxar.pdf
    • http://ngoji.com/uploads/1/3/0/6/130639327/kimabeg.pdf
    • http://objectpages.com/uploads/1/3/0/6/130640049/torefazu.pdf
    • http://polisglobal.com/uploads/1/3/0/4/130491850/1e324d8.pdf
    • http://runcynthiarun.net/uploads/1/3/0/5/130588407/dovoroxi.pdf
    • http://madder.store/uploads/1/3/0/5/130550697/701673.pdf
    • http://akvapark.site/uploads/1/3/0/4/130489131/panejup.pdf
    • http://sayn-wittgenstein-piraccini.com/uploads/1/3/0/3/130323146/xemegovofetobekareji.pdf
    • http://sustainablefleet.com/uploads/1/3/0/6/130620857/130620857.html#lymecycline+chlamydia+dose

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003832.bin
fab23ede0afd2454db80e9e59c2f877377f6df103486672f1eb319a7b91d044b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3832 8208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.