Malicious PDF — malware analysis report

Static analysis result for SHA-256 fe4256007be98287…

MALICIOUS

PDF

51.3 KB Authoring application: GIMP
MD5: ad5bcbfd03996611ab3fc64dcd1874ac SHA-1: 32e7aa68cf7752b5eacb90765564fb51f73b956b SHA-256: fe4256007be98287955010a585a69a2eb9eccc4c4f2b210f083b399241989254
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The document body text mentions 'Android apps not ing from app store' and includes several URLs that appear to be part of a link farm. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious redirection intent. The primary goal appears to be directing users to a network of external PDF documents.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bipa.massrage.ru/uploads/2020/01/28/zesixesefopirisukos.pdf
    • http://amylographics.com/uploads/1/3/0/6/130621102/gogoburufuga_vuwuzubutewog_zikunateba.pdf
    • http://eurekaarchitecture.com/uploads/1/3/0/5/130540197/wutajopalo.pdf
    • http://timmas.space/uploads/1/3/0/6/130620677/kilobigajovidod-lisorekarojipe-sowupinugow.pdf
    • http://logisticsbeacon.com/uploads/1/3/0/2/130271214/8287712.pdf
    • https://xopaxutozuwox.weebly.com/uploads/1/3/0/4/130435987/950a1c95b6.pdf
    • http://minimographics.com/uploads/1/3/0/2/130287317/ba36b70d87b719.pdf
    • http://thefamilyfunband.com/uploads/1/3/0/6/130620936/4144721.pdf
    • http://benkregel.com/uploads/1/3/0/3/130323156/130323156.html#android+apps+not+ing+from+app+store

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001216.bin
1dbbbae127ff78b119f1aa43f3fd79b526f21515abb1359b40caf1c162513975		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1216 8592 bytes
font_01_sfnt_off00008ea7.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EA7 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.