Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa98d2ff775a134b…

MALICIOUS

PDF

44.8 KB Authoring application: GIMP
MD5: e1f5d2dbf31187bfc51944d8b45da50e SHA-1: 149fc6a93ecc82e1160e117cc4909429b73b149c SHA-256: fa98d2ff775a134bc5a5775142aa6ba6b04b479430760b4aa378d413bb7c3a09
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body, though partially corrupted, contains references to Salesforce and a URL that matches one of the embedded links, suggesting a lure to external content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fecresources.net/uploads/1/3/0/6/130603761/mipexeginopafip.pdf
    • http://bucharestinthebeltway.com/uploads/1/3/0/7/130739971/xowoniruzexeza-pofitesoxad-wegegemikitofor-bapawuji.pdf
    • http://designsbylex.com/uploads/1/3/0/4/130489025/2974b3c12f.pdf
    • http://sarahvermette.ca/uploads/1/3/0/7/130775245/wajojabokefa.pdf
    • http://mowigiwew.do-long.com/uploads/2020/01/28/14f17b3033dceda.pdf
    • http://tappchicago.com/uploads/1/3/0/4/130489650/zupepajiduda.pdf
    • http://castlepinesvillagegardenclub.org/uploads/1/3/0/5/130551235/jerubegisavo.pdf
    • http://vapev.thetracker.online/uploads/2020/01/29/30a13659c.pdf
    • http://maribethshillsdale.com/uploads/1/3/0/3/130323381/luwolas.pdf
    • http://trentriverdesigns.com/uploads/1/3/0/6/130604764/130604764.html#exporting+joined+reports+in+salesforce+lightning

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012c6.bin
087b1d8bc87828d4c5d79ce25ae583a90a32297b40172e714f47f39228c1954d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C6 8704 bytes
font_01_sfnt_off00005b03.bin
5687c5217bc54965024825883fd2306a4c0bb03e7ffae84c867e683966742750		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B03 16148 bytes
font_02_sfnt_off00006f82.bin
80fd82e8d7f6c7383124e26acf670c2b68b29ba8ce7e05f80cea4f2a46bd44a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F82 3440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.