Malicious PDF — malware analysis report

Static analysis result for SHA-256 fbaeea221925fb70…

MALICIOUS

PDF

65.6 KB Authoring application: QPDF
MD5: 2218516842f2bf9e805fa3991f7cb43e SHA-1: 557dbd379f0e4f15fef69360808b1067f5a7c574 SHA-256: fbaeea221925fb70a373688640491820a73dea86029834ca692e89da306641ce
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file was flagged by multiple heuristics as malicious, including a critical finding for a PDF link farm. The document body contains numerous external URLs, with the primary one being http://mari4ka.ru:80/uploads/2020/01/29/gobopovifijaw.pdf. This suggests the document's primary purpose is to lure users into clicking these links, likely leading to phishing pages or further malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mari4ka.ru:80/uploads/2020/01/29/gobopovifijaw.pdf
    • http://tried-by-fire.com/uploads/1/3/0/7/130739544/worokuwukiz-lizima.pdf
    • http://fupek.megachina.ru/uploads/2020/01/28/0ffee6c29.pdf
    • http://setkeyanimation.com/uploads/1/3/0/6/130621155/9753573.pdf
    • http://drberrycoaching.com/uploads/1/3/0/6/130639632/fea4ec5453d.pdf
    • http://dltpress.com/uploads/1/3/0/3/130323485/9803642.pdf
    • http://chanisehurst.com/uploads/1/3/0/3/130379178/nixoluwe.pdf
    • http://musicwithjojo.com/uploads/1/3/0/3/130323717/nizijagejatumidisul.pdf
    • http://rebieramoso.net/uploads/1/3/0/5/130590508/2100045.pdf
    • http://nylarose.co/uploads/1/3/0/6/130639862/2899084.pdf
    • http://nashobavalleyextractco.com/uploads/1/3/0/5/130543855/130543855.html#net+exam+question+paper+with+answers

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001450.bin
485b330309654dc2723287e412e75a1a922b61cf915eda1da8fc492e1dbc6a80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1450 8228 bytes
font_01_sfnt_off0000b0d4.bin
da097a8c459adbfdf1b1d97412e41569b305acf822c6e113ff3e46e38a168572		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB0D4 16224 bytes
font_02_sfnt_off0000c5ab.bin
236d54f3e2479d5e72da3d1be4616617e509581c3e9108e812f40a19f40d28ff		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5AB 2228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.