Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1d13470eebc686f…

MALICIOUS

PDF

33.7 KB Authoring application: Soda PDF
MD5: f8a204a3646a32297ea54cdd4f887b26 SHA-1: ce2830f3a00275a5edfb29114242be2b60ebb7a9 SHA-256: f1d13470eebc686fd1e05deb050f592c7d02e14385a5ec2a0b74f146711f0d5d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was detected as malicious by ClamAV and an ML classifier, and it contains a large number of external links, indicating a link farm for SEO manipulation. The document body, despite being heavily obfuscated, contains references to 'Pokemon indigo league download game' and includes multiple URLs that likely serve as lures for downloading further malicious content. The presence of a link farm suggests an attempt to distribute malware or phishing content through deceptive means.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dinuw.rttelekom.online/uploads/2020/01/27/rogaxigovaduriwala.pdf
    • http://rera.remontkamazov.ru/uploads/2020/01/29/2641814.pdf
    • http://lazekusak.s-ruben.com/uploads/2020/01/27/fewevaxi-zimakufexoj-vavidub.pdf
    • https://mutagezoki.weebly.com/uploads/1/3/0/6/130604653/zowereza.pdf
    • https://lodafudibo.weebly.com/uploads/1/3/0/5/130543787/nuberi.pdf
    • https://dusebowegowaj.weebly.com/uploads/1/3/0/3/130379205/lebawunizid_sigomus_zakemefobe.pdf
    • http://leviv.onlinecertificate.ru/uploads/2020/01/28/7e0c758.pdf
    • http://ackertech.org/uploads/1/3/0/5/130545698/130545698.html#pokemon+indigo+league+download+game

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001193.bin
7f11a837686d37a1d952d6de277e3b5acf5f04d0fd2861b73e288f30ade5e1ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1193 8488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.