Malicious PDF — malware analysis report

Static analysis result for SHA-256 eaece510e1c0c8e2…

MALICIOUS

PDF

39.0 KB Authoring application: Mobipocket Creator
MD5: 10045a2a1cfaf59c1c52b214ecffae70 SHA-1: d12c63f048cf9a944c331ffd33d21c7ae650b742 SHA-256: eaece510e1c0c8e2992e6c4e51f1c14a793a447368edf3a6650550091c27d943
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified as a link farm, pointing to various domains. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent, likely phishing or malware distribution. The document body, though containing some obfuscated text, includes the phrase 'What is general deterrence' and embeds numerous URLs, suggesting a lure to external malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wafebezum.imennotaks.pro/uploads/2020/01/27/liketexe-zizoru-dilerajebolu-nasub.pdf
    • http://jisibodim.biohimchistka.ru/uploads/2020/01/28/264430.pdf
    • http://robidite.1305shop03.fun/uploads/2020/01/28/2638803.pdf
    • http://plumasarts.com/uploads/1/3/0/6/130605357/1904630.pdf
    • http://jabogire.slmlow.ru/uploads/2020/01/29/xidodoxuw_jezukorofewe_xunemi_ruwopowelug.pdf
    • http://wellsviewstudio.com/uploads/1/3/0/6/130604259/xefekomezego-liwamirozik.pdf
    • http://jizagafa.diet-helper.club/uploads/2020/01/27/pekadaz.pdf
    • https://golirupo.weebly.com/uploads/1/3/0/4/130476378/156464655ed7244.pdf
    • https://ketinabejafi.weebly.com/uploads/1/3/0/5/130590467/2b35e.pdf
    • http://theleawoodfamilydentist.com/uploads/1/3/0/5/130543364/130543364.html#what+is+general+deterrence

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001212.bin
5d9542d57993530d0b4402c90272f06e57a91fb8dc6ae18c23f4d61d70d87d9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1212 7860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.