Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb2127f5dda25579…

MALICIOUS

PDF

61.1 KB Authoring application: Adobe PDF Library 9.0
MD5: d8608ee6fcfb686675d16430aa7a763c SHA-1: 7010914337a41566fabf302cd7177c77d8e51765 SHA-256: eb2127f5dda2557915ebcb3e78135530e5aa3b40fed3f1de89cf7eeb7504dfa6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files, as indicated by the PDF_SEO_LINK_FARM heuristic. This technique is commonly used to distribute phishing content or redirect users to sites hosting malware. The ML classifier and ClamAV detection further support the malicious nature of this file. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://laureltreehill.org/uploads/1/3/0/4/130489475/kuvulelad.pdf
    • http://michaeleggerl.com/uploads/1/3/0/5/130543995/viporuxitijesa.pdf
    • http://nateveorganic.com/uploads/1/3/0/2/130288559/1ebc45ef514ee6.pdf
    • http://mnhomeinteriors.com/uploads/1/3/0/5/130541402/torurigafi.pdf
    • http://hildeileana.com/uploads/1/3/0/5/130543837/pinakoxegezeza.pdf
    • http://aspenfamilymedicine.com/uploads/1/3/0/5/130542775/6545169.pdf
    • http://berryflats.net/uploads/1/3/0/8/130874109/788a5.pdf
    • http://tanjon6.club/uploads/1/3/0/8/130873990/f36fa96f33a5.pdf
    • http://thesymphonychurch.com/uploads/1/3/0/6/130639990/4281075.pdf
    • http://anotherj.com/uploads/1/3/0/5/130550951/gujaxaxiwowazojo.pdf
    • http://historicalmalpeque2014.com/uploads/1/3/0/7/130739139/medoxalod-rotalonox-durow.pdf
    • http://biharvidyapith.com/uploads/1/3/0/6/130604690/4066678.pdf
    • http://negativetopositivefilms.com/uploads/1/3/0/5/130589083/4725815.pdf
    • http://iheartdetroit.net/uploads/1/3/0/4/130477335/3675600.pdf
    • http://spicedforyou.com/uploads/1/3/0/5/130551351/01d1824bba1292.pdf
    • http://restorechurchnc.net/uploads/1/3/0/4/130476766/bemefozukonuf.pdf
    • http://hoyporvos.org/uploads/1/3/0/7/130776247/lafuloresox-laxut-dipusulozu-zobiwanajasupuf.pdf
    • http://asharperimage.ca/uploads/1/3/0/4/130477420/5800965.pdf
    • http://host121.carmichaelnl.com/uploads/1/3/0/7/130739893/130739893.html#placental+and+umbilical+cord+abnormalities

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000157c.bin
724e66f3b5934043fc9ef526836a9a9617aa5cf2b2d9b5aee0e4680063e52632		 pdf-font-stream PDF embedded font (sfnt) at offset 0x157C 9008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.