Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7bcd65eb2abc462…

MALICIOUS

PDF

38.2 KB Authoring application: Scribus
MD5: ac699b547830630da66421df08fd24e6 SHA-1: 3a1c5722a5f4beea508c237279c6b9410dfe93c8 SHA-256: e7bcd65eb2abc4624d3a6c5f6d1fc4cb8a56cb91bd00baa1380de45add1c57a0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies the mass external PDF link farm, with the first URL being http://holypostdigital.com/uploads/1/3/0/6/130605216/be3dea79f9.pdf. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://holypostdigital.com/uploads/1/3/0/6/130605216/be3dea79f9.pdf
    • http://www.estateplanlasvegas.com/uploads/1/3/0/5/130551091/kulumekod.pdf
    • http://iamprovidence.net/uploads/1/3/0/7/130739833/83f974a5b19205f.pdf
    • http://theheroinesclub.com/uploads/1/3/0/4/130489898/2848554.pdf
    • http://natureniche.net/uploads/1/3/0/5/130543057/wuwapajune.pdf
    • http://delightfullighting.com/uploads/1/3/0/6/130620410/624c96232.pdf
    • http://nrareservations.com/uploads/1/3/0/4/130483682/pizegeg_davujole_ripufem_mojugizizaba.pdf
    • http://kdtuning.com/uploads/1/3/0/6/130604085/838462.pdf
    • http://museumeats.com/uploads/1/3/0/7/130738499/4707d3ff.pdf
    • http://mountaingalsbookkeeping.com/uploads/1/3/0/6/130620563/2242904.pdf
    • http://falkenbergadmissionsadvising.com/uploads/1/3/0/4/130476747/zelozililosejof.pdf
    • http://www.voyagerbeats.com/uploads/1/3/0/5/130590457/bulabi-buzagoxoluposir.pdf
    • http://mykarl.info/uploads/1/3/0/5/130589264/4632574.pdf
    • http://naturalqueenstudios.com/uploads/1/3/0/7/130775643/debis-kavovisazo.pdf
    • http://referralroulette.com/uploads/1/3/0/7/130739662/fosopa_mitivisuvas_vamawopida_beziwovo.pdf
    • http://safeplacewildlifesanctuary.org/uploads/1/3/0/2/130271094/5936af69.pdf
    • http://ashagili.com/uploads/1/3/0/3/130379597/lebuduwojuw.pdf
    • http://turnbowengineeringlabs.com/uploads/1/3/0/8/130813395/be00ab097cfac84.pdf
    • http://supportivecareservices.net/uploads/1/3/0/7/130740618/vetosorareto_fewosud_xosedo_mujisobarel.pdf
    • http://floorble.com/uploads/1/3/0/5/130551823/ledamu.pdf
    • http://asktheturk.com/uploads/1/3/0/5/130589309/kuvotiru_julumamenubiwi_kaxamu.pdf
    • http://lmkvintage.com/uploads/1/3/0/3/130313243/3905937.pdf
    • http://paramountss.com/uploads/1/3/0/6/130605325/130605325.html#acute+apical+abscess+treatment
    • http://www.estateplanlasvegas.com/uploa

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003535.bin
653e479f6eded6893c7cc3535227e44e7fee782b24b61cba10b2629601b1cc62		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3535 7372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.