Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8008a5cd1645533…

MALICIOUS

PDF

31.0 KB Authoring application: Solid Converter PDF
MD5: b31d0fe428cf6d5ccb3524b1fb012622 SHA-1: 316d498518df7e99204eab62f3cf9133139e470f SHA-256: f8008a5cd1645533aa791c47fe5c7ffa5bd1aab9b34ab248a49ea29e0fbb007c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to direct users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body, while containing some seemingly innocuous text about baseball scores, also includes the URLs, reinforcing the link farm attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yogabyamandaretreats.co.nz/uploads/1/3/0/6/130604377/8439975.pdf
    • http://thekashempire.com/uploads/1/3/0/5/130551256/4610191.pdf
    • http://mur.walkwork.info/uploads/2020/01/28/dfb6b6a39.pdf
    • http://sgtreasure.com/uploads/1/3/0/4/130483993/kujaku.pdf
    • http://swarmstudios.com/uploads/1/3/0/4/130483256/puvopodowibije-numome-tegozunela.pdf
    • http://sturminsternewtonplan.com/uploads/1/3/0/6/130605074/zulazuwawo.pdf
    • http://umsegundoantesdevocemorrer.net/uploads/1/3/0/6/130621436/wijemawotorodanez.pdf
    • http://usmgsol.com/uploads/1/3/0/5/130545241/e80107baad40223.pdf
    • http://cornucopia-vintage.com/uploads/1/3/0/5/130588931/130588931.html#wisconsin+high+school+baseball+state+tournament+scores

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a4.bin
a494431b3863bfa3ab43544faad378bccc9edb0e646fea8191f020ffbd3d8ff4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A4 7748 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.