Malicious PDF — malware analysis report

Static analysis result for SHA-256 f2703c24d5e51d1f…

MALICIOUS

PDF

39.6 KB Authoring application: Solid Converter PDF
MD5: aec60f7867058fc4bb0943bdaec2ff0e SHA-1: 9587e5d28aa482b862c35a9d43d09c35c90b5441 SHA-256: f2703c24d5e51d1fa57674b6b1c516d84505b6ec5d91e04bd25129e2ac476a97
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF document detected as malicious by ClamAV and an ML classifier. The PDF contains a large number of embedded URLs, many of which point to other PDF files on various domains. This behavior is indicative of a link farm or a redirection scheme, likely intended to distribute further malware or conduct phishing. The primary heuristic, PDF_SEO_LINK_FARM, directly supports this assessment by identifying the mass external PDF link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lwmdtest.com/uploads/1/3/0/5/130539458/58653838b1309e.pdf
    • http://mipabinuke.photo-vologda.ru/uploads/2020/01/27/4710138.pdf
    • http://kevinhenderson.org/uploads/1/3/0/3/130323227/dudesetiwibusenole.pdf
    • http://sertomachattanooga.com/uploads/1/3/0/2/130287529/peperugovev.pdf
    • http://tawet.martinsembalagensam.com/uploads/2020/01/28/8f8988.pdf
    • http://assentive.net/uploads/1/3/0/5/130539798/7518061.pdf
    • http://tijizapel.smpix.ru/uploads/2020/01/27/durogekum.pdf
    • http://molin.supermassive.agency/uploads/2020/01/29/6115329.pdf
    • http://karanbershaw.com/uploads/1/3/0/6/130621665/temerejegadopovuxap.pdf
    • http://538knollwood.com/uploads/1/3/0/5/130539128/rutapewelazede.pdf
    • https://vaxisefoved.weebly.com/uploads/1/3/0/4/130490585/riritiku.pdf
    • http://mrhelpme.com/uploads/1/3/0/4/130490876/d9039aa03a511.pdf
    • http://sharikiufa.ru/uploads/2020/01/27/3510015.pdf
    • http://kc-phramez.com/uploads/1/3/0/2/130272603/8fa2b2cbb33e.pdf
    • http://mi6app.com/uploads/1/3/0/5/130546343/22ca5.pdf
    • http://waboxevi.okgelenk.pw/uploads/2020/01/29/velitupolopi.pdf
    • http://bebuzoseme.rofrest.ru/uploads/2020/01/27/pedorazog-benije-rujed-valud.pdf
    • http://trentriverdesigns.com/uploads/1/3/0/4/130436181/130436181.html#aiag+cqi+27+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014aa.bin
fdf5e5984c88f832bd2829ac28a9de1fbada293210ae0f71a2e0e7c5ddb3badd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14AA 9132 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.