Malicious PDF — malware analysis report

Static analysis result for SHA-256 f949c486a78186e1…

MALICIOUS

PDF

42.0 KB Authoring application: pstoedit
MD5: ad6b8c7396160a6a1e2493afa91620a8 SHA-1: 3fd709507051b2e65a8fcbe96d593b8a31670c0e SHA-256: f949c486a78186e12fee6232eef250001944fb043611376b5f5580c7a3e499e6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The embedded URLs point to various PDF files hosted on different domains, suggesting a link farm or a phishing campaign. The ML classifier and ClamAV detection further support the malicious nature of this file. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gafi.begone-dumps.store/uploads/2020/01/28/05a7e252bef94a.pdf
    • http://shopp2701.fun/uploads/2020/01/29/raduzotinevorip.pdf
    • https://kerudenebuda.weebly.com/uploads/1/3/0/4/130476523/gitobunekaka-fusopupew-bekolovefe-bakevu.pdf
    • http://knwrzn.com/uploads/1/3/0/3/130323227/c57f1ceb7ba.pdf
    • http://nailsbymargaret.com/uploads/1/3/0/6/130639662/98a447d.pdf
    • http://jumikopito.diamantevidrosweb.site/uploads/2020/01/28/dc317c.pdf
    • http://propriuslearning.org/uploads/1/3/0/3/130379098/a0f890.pdf
    • http://suddenweblink.online/uploads/2020/01/28/54d73a28417a9b.pdf
    • http://qualisplus.com/uploads/1/3/0/5/130539022/kevofoxikajuz_tazobenegixa_domovaf_sijudutipadebe.pdf
    • http://augustapickleball.org/uploads/1/3/0/6/130604341/wudopos_xokule_menoroduvonenom_xaxebedukawami.pdf
    • http://eugeneylee.com/uploads/1/3/0/3/130313466/tetudeza.pdf
    • http://dramallamaranch.com/uploads/1/3/0/5/130588457/vekosumokusa-wenesa-vamabo-mananigatew.pdf
    • http://petervuphotography.com/uploads/1/3/0/5/130543289/f6fbb89f.pdf
    • http://taggroup.nz/uploads/1/3/0/5/130589050/8752853.pdf
    • http://mindregard.com/uploads/1/3/0/5/130551399/gukojaverokexu_kovanez_futulaf_gekuxotinozuj.pdf
    • http://lacollectiva.org/uploads/1/3/0/3/130323120/gusuruxidunufurejiz.pdf
    • http://zafo.royalemates.com/uploads/2020/01/28/foxisi-widafaxedi-vapiruniletimof.pdf
    • http://100handboundjournals.com/uploads/1/3/0/6/130639479/xezagobewo.pdf
    • http://jum.support-account.net/uploads/2020/01/29/3609158.pdf
    • http://courtneysteed.com/uploads/1/3/0/5/130542985/gerujaruzixiw.pdf
    • http://thelewisduo.com/uploads/1/3/0/2/130272406/130272406.html#masculin+feminin+online+sub+espa%C3%B1ol
    • http://lacollectiva.org/uplo

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001770.bin
213f9433a6a35b4d7b8e4bdb009e39da4821f52a1baa0ff741614606322d6508		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1770 10152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.