Malicious PDF — malware analysis report

Static analysis result for SHA-256 f027d18898898b6e…

MALICIOUS

PDF

85.4 KB Authoring application: Mobipocket Creator
MD5: 1a581d23e6d4719b11a3f99b3d4c3e12 SHA-1: c5202d2108581cb4164bccec16c50742509fcee9 SHA-256: f027d18898898b6e4f8cc4e3c23d29b85800249d002a8d45293703620cd1eb42
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The primary attack pattern observed is the presence of a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to distribute further malware. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, with 'ancoraimparo.biz' being a dominant host among the linked domains. No scripts were extracted, but the sheer volume and nature of the linked URLs strongly suggest a malicious distribution or redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ancoraimparo.biz/uploads/1/3/0/5/130588201/maxepogu_tisiwi_pipezunotupu.pdf
    • http://que-neni.com/uploads/1/3/0/6/130620612/jeluserujol.pdf
    • http://legacyunit.pink/uploads/1/3/0/5/130588635/8662220.pdf
    • http://fullspectrumrefinishing.com/uploads/1/3/0/6/130605358/galomup-moxoxudew.pdf
    • http://punataj.shtory.pro/uploads/2020/01/28/xetufugoporivo_kovedisuw_wonozejebo_tozomipala.pdf
    • https://dozevuvirinag.weebly.com/uploads/1/3/0/5/130543569/f7fe234f528e57.pdf
    • http://gifunam.alikozdrav.ru/uploads/2020/01/28/b1fa8d.pdf
    • http://simonlotingaconsulting.com/uploads/1/3/0/4/130489627/soluvagorizos.pdf
    • http://asaplawnandlandscaping.com/uploads/1/3/0/6/130620975/wogeguf.pdf
    • https://kavapuxopara.weebly.com/uploads/1/3/0/4/130435956/9235131.pdf
    • http://royaloakbrewerschampionship.com/uploads/1/3/0/5/130550729/ea936710c51ab6.pdf
    • http://vakimi.maru.su/uploads/2020/01/29/xupotufituben.pdf
    • http://morelopostfilms.com/uploads/1/3/0/6/130604850/nosegar.pdf
    • http://massagetresbelle.com/uploads/1/3/0/6/130620456/xixojedap_pixaworis_boguveboto.pdf
    • http://saferworldclothing.com/uploads/1/3/0/5/130542875/9864773.pdf
    • http://neurohorizonpharma.com/uploads/1/3/0/4/130488861/3475134.pdf
    • http://shop-top558.ru/uploads/2020/01/27/23e6816d15bff75.pdf
    • http://foothillsbiblefellowship.com/uploads/1/3/0/2/130274267/130274267.html#peta+kekuasaan+bani+umayyah+di+damaskus

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017c6.bin
7d664dc9a03fce076492fb2056d4219848c2b79af3686635b240b73192274c1f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C6 8524 bytes
font_01_sfnt_off0000875f.bin
b2471443301e4e3cefa16eb0485650cebb9b99ebf4e115e7be3be881da0b94c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x875F 16812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.