Malicious PDF — malware analysis report

Static analysis result for SHA-256 fd5eb71d8b3fd489…

MALICIOUS

PDF

40.9 KB Authoring application: Pdftk
MD5: dd2fc03bfa01ad3713fe3a7f4a16c7b2 SHA-1: 4d770669796774003b430a3a372f6c5f186b4011 SHA-256: fd5eb71d8b3fd489d17034e758a0696e07072d781e505473ecb858af3f71c665
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique commonly used for SEO manipulation or to distribute further malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent. The embedded URLs suggest a phishing or content distribution attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bijoumoscow.com/uploads/1/3/0/6/130604133/2416667.pdf
    • http://drberrycounseling.com/uploads/1/3/0/3/130379228/duwojirexoxiwam.pdf
    • http://bhbiking.com/uploads/1/3/0/7/130776175/6f31b.pdf
    • http://mrsmacsclass.com/uploads/1/3/0/6/130604939/nuxewubut_metonosoke_xaxuwuma_xonemitobojoj.pdf
    • http://titosfiestamexicana.com/uploads/1/3/0/6/130604972/8816163.pdf
    • http://christiancardsandphotos.net/uploads/1/3/0/3/130323160/9293413.pdf
    • http://cectcapecod.com/uploads/1/3/0/6/130605065/6629433.pdf
    • http://riverhaircompany.com/uploads/1/3/0/7/130739654/nakovawawosaviwu.pdf
    • http://ilovecbd.biz/uploads/1/3/0/4/130436196/0fd4bce7a6.pdf
    • http://medicaltranscription.ca/uploads/1/3/0/2/130272250/769242.pdf
    • http://lakesidestories.com/uploads/1/3/0/4/130477613/4192389.pdf
    • http://bitcointracks.com/uploads/1/3/0/4/130476313/1567927.pdf
    • http://nexgentest.com/uploads/1/3/0/5/130543453/7562305.pdf
    • http://www.kristeldisplays.com/uploads/1/3/0/7/130739256/2199928.pdf
    • http://somorunning.com/uploads/1/3/0/5/130588895/bivugef.pdf
    • http://greysay.tech/uploads/1/3/0/3/130313224/3570024.pdf
    • http://spottedmoth.com/uploads/1/3/0/7/130739369/waderiwamexa.pdf
    • http://audodigital.com/uploads/1/3/0/4/130436089/cd1fa7eac.pdf
    • http://lfsrm.net/uploads/1/3/0/5/130551087/jifeji.pdf
    • http://thewardscottfiles.com/uploads/1/3/0/4/130476277/158c1.pdf
    • http://shanahanagency.com/uploads/1/3/0/4/130476652/tapilobijamixug.pdf
    • http://drobgyn.net/uploads/1/3/0/7/130739991/130739991.html#comparative+form+of+adjectives+good
    • http://spottedmoth.com/upl

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003299.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3299 2600 bytes
font_01_sfnt_off00003e54.bin
a14c1a8eaab5b5def2a2a21dc37cc91b1d23aacefc2cdd02eaf854e61a3b6f46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E54 8336 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.