Malicious PDF — malware analysis report

Static analysis result for SHA-256 f445e662e75daecb…

MALICIOUS

PDF

43.7 KB Authoring application: Serif PagePlus
MD5: fac2ebfadd22b2621ec8efcf06256910 SHA-1: 7db102ae3c5d483b774c5c1f24c752ba12d0d57c SHA-256: f445e662e75daecb73b24f7751934b75dbe549aa50b639ea60ba7fe30f17313c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical finding for a PDF SEO link farm. The document body contains numerous URLs, with the primary one being http://roger.vyberikredit.ru/uploads/2020/01/28/6282206.pdf. This suggests the document's purpose is to redirect users to malicious content hosted on this domain, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://roger.vyberikredit.ru/uploads/2020/01/28/6282206.pdf
    • http://mreshistory.weebly.com/uploads/1/3/0/5/130551581/688217.pdf
    • http://a1accommodations.org/uploads/1/3/0/5/130588380/3953915.pdf
    • http://rivereasttravel.com/uploads/1/3/0/5/130539344/virisekizesat.pdf
    • http://pemeren.sonamgusau.online/uploads/2020/01/27/diluvawirafowivife.pdf
    • http://aimeekena.com/uploads/1/3/0/5/130550882/7172064.pdf
    • http://heartst.art/uploads/1/3/0/4/130478433/1338671.pdf
    • http://smpcreditrepair.org/uploads/1/3/0/4/130477490/bixarip-jojet-daruvuxofoladi-sutow.pdf
    • http://psychedynamic.com/uploads/1/3/0/5/130543261/5151909.pdf
    • http://nathaniel-e-yamamoto.com/uploads/1/3/0/4/130436152/bebezif.pdf
    • http://striating.weebly.com/uploads/1/3/0/5/130542965/12ff02fadffd9.pdf
    • http://wagtheworld.net/uploads/1/3/0/6/130603741/0b502762098edde.pdf
    • https://dikirawasi.weebly.com/uploads/1/3/0/5/130590366/6911697.pdf
    • http://shikareddy.com/uploads/1/3/0/2/130289346/furopiladuzijo-kaxes-direteloso-subosixivem.pdf
    • http://keepingupwiththehoustons.com/uploads/1/3/0/2/130289421/5428763.pdf
    • http://soselectrical.co.nz/uploads/1/3/0/5/130588783/4868178.pdf
    • http://petpalspetandhomecare.com/uploads/1/3/0/6/130640116/5478752.pdf
    • https://sonuvawi.weebly.com/uploads/1/3/0/2/130271095/5764307.pdf
    • http://deinehandwerker.ch/uploads/1/3/0/5/130539243/5413848.pdf
    • http://tcsonline.net/uploads/1/3/0/5/130550830/130550830.html#los+criterios+de+divisibilidad

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014f2.bin
f7e8dd57c25249f41810cf0fbd997b6cbfd9b41f883a0ba65c7011d9e771126e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14F2 7748 bytes
font_01_sfnt_off00005958.bin
7952e68e54a76fcab9c4c46432d1838cd5ce6feceac914d7b96b87f9265e9dfc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5958 16348 bytes
font_02_sfnt_off00006ebb.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EBB 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.