Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb4a321e1c90b7d1…

MALICIOUS

PDF

53.3 KB Authoring application: pdf-parser
MD5: 256132f46cdd96c90d96918bb6bc4307 SHA-1: 104ed9173ad336a3df891e333e6a8ceeab2a6207 SHA-256: fb4a321e1c90b7d11d4446baa2414ac59cb8fdfbb3e839f6b5e240f1a1a94a79
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various PDF files hosted on different domains. This is a common technique for distributing malicious content or conducting phishing attacks. The ML classifier and ClamAV detection further support the malicious nature of this file. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine the exact lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://totibepir.weebly.com/uploads/1/3/0/5/130546000/rosof.pdf
    • http://wet.audiostart41.icu/uploads/2020/01/28/4370759.pdf
    • http://aikomatsuoka.com/uploads/1/3/0/2/130272619/8214410.pdf
    • http://vomus.cosmos-studio.ru/uploads/2020/01/28/2473462.pdf
    • http://subitu.n26-logine.com/uploads/2020/01/28/gotezixe.pdf
    • https://wumemodo.weebly.com/uploads/1/3/0/5/130544447/3222315.pdf
    • http://hayatim1film.com/uploads/2020/01/27/2918674.pdf
    • http://almostasecondgrader.com/uploads/1/3/0/6/130621908/6747401.pdf
    • http://evokefitness.net/uploads/1/3/0/5/130551856/130551856.html#cs+go+crash+on+map+load

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a3.bin
75cbe0fa3b90432dca73607785e65547bcb0aa9e12fcfc2d1697234c1b53e44a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A3 8880 bytes
font_01_sfnt_off00008978.bin
dd4c8c41452858522ae2739d2ec0f24e5850ea50d383c7fed979faec26c4bbc8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8978 16508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.