Malicious PDF — malware analysis report

Static analysis result for SHA-256 e36816d7cef33aa3…

MALICIOUS

PDF

37.7 KB Authoring application: Solid Converter PDF
MD5: 2259a1de0544a1b9fdca7fcc17d3ab16 SHA-1: b05449d502a2bb9f775a41c2378c160d0377bef2 SHA-256: e36816d7cef33aa3e6b1cff88a80ee54af33de12399cb03ae025f6be9cb94ad6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of embedded links to external PDF documents, a technique often used for SEO poisoning or to redirect users to malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent. The primary attack pattern involves directing users to a link farm of potentially malicious PDF files.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hosannakerrville.org/uploads/1/3/0/6/130604104/6b112dac9.pdf
    • http://lav.bortstrana.ru/uploads/2020/01/29/miwekurinixewodeti.pdf
    • http://drainetfissures.com/uploads/1/3/0/5/130538946/rivaserose.pdf
    • http://gisiweni.onemagazin.ru/uploads/2020/01/28/nuvopu.pdf
    • http://ilanaleberdesignfolio.com/uploads/1/3/0/4/130483844/68b6bf26b4d08.pdf
    • http://stthomastheapostleparishmontfortwi.com/uploads/1/3/0/6/130620467/patokaxuxute.pdf
    • http://seriecarousel.com/uploads/1/3/0/6/130604394/nulodozetokadifar.pdf
    • http://keepingupwiththehoustons.com/uploads/1/3/0/6/130621684/2548c.pdf
    • http://nice-body.net/uploads/1/3/0/5/130551267/sapegagenakizibekif.pdf
    • http://platnoeiptv.ru/uploads/2020/01/28/2140210.pdf
    • http://cityglush30.icu/uploads/2020/01/27/1957727.pdf
    • http://carprodip.com/uploads/1/3/0/5/130540065/d42a5165bdef6a.pdf
    • https://donurumudofiwe.weebly.com/uploads/1/3/0/4/130491166/b00159.pdf
    • http://ryanballonlineportfolio.com/uploads/1/3/0/6/130603896/pixowawenizitozadilo.pdf
    • http://jila12.ru/uploads/2020/01/27/676767.pdf
    • http://alphaomegainvestmentsllc.com/uploads/1/3/0/6/130621060/194669.pdf
    • http://rixu.healthnotes.tech/uploads/2020/01/28/3481f5f860.pdf
    • http://petrapreschool.net/uploads/1/3/0/3/130379777/2298099.pdf
    • http://o-i-o.ru/uploads/2020/01/27/fd7fae80021.pdf
    • http://lozufo.hayatimbirfilm.com/uploads/2020/01/27/3843171.pdf
    • http://suor.pt/uploads/1/3/0/4/130488619/b41aedd44ee2b.pdf
    • http://signagedude.com/uploads/1/3/0/5/130588987/3253351.pdf
    • http://benkregel.com/uploads/1/3/0/4/130478110/130478110.html#amnesia+memories+route+guide

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000179b.bin
9a441eb5e1a84e609c1f89b4705ddea1dac1a2fd785a6d24645db7ed46930d4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x179B 8060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.