Malicious PDF — malware analysis report

Static analysis result for SHA-256 fee89bf44c2c2d6b…

MALICIOUS

PDF

44.0 KB Authoring application: PDFedit
MD5: b299ff59ea5e8239a924c35e029c8d12 SHA-1: a676530eee36baa7da49cd45d2721c18a9cb4971 SHA-256: fee89bf44c2c2d6b8dbddb6ccfb33eaeb6a0be90d32be0063a89f0fa509a8af4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.dashacademy.com/uploads/1/3/0/6/130620290/raderagaminizo.pdf
    • http://natureallbody4ever.com/uploads/1/3/0/4/130478203/2351826.pdf
    • http://moggiethecat.com/uploads/1/3/0/4/130476185/mopunozo.pdf
    • http://oyekanlaws.com/uploads/1/3/0/6/130639216/5dcf71cb20d8af.pdf
    • http://barridolaw.com/uploads/1/3/0/7/130776519/vumizaza.pdf
    • http://miamiexportpartscr.com/uploads/1/3/0/7/130739779/a557b03fe979.pdf
    • http://www.iq-estore.com/uploads/1/3/0/7/130738739/5958685.pdf
    • http://accuagencywebsites.com/uploads/1/3/0/7/130739479/zisotalepuwadas.pdf
    • http://claybon.shop/uploads/1/3/0/7/130739897/e147d4723.pdf
    • http://swap00.net/uploads/1/3/0/7/130739584/wirijawalora.pdf
    • http://minimaltees.com/uploads/1/3/0/3/130313632/xixefun_mosalotiwag_tofewamezuz_rezewuvisizaris.pdf
    • http://christianhartsough.com/uploads/1/3/0/8/130874370/6349cc9a2e36890.pdf
    • http://whatthesaintsknew.org/uploads/1/3/0/6/130605338/ced81e5d.pdf
    • http://natureswonders.net/uploads/1/3/0/4/130483325/8136942.pdf
    • http://www.emotivate.co.uk/uploads/1/3/0/7/130740249/kefozogifulitev.pdf
    • http://amusethemeparks.com/uploads/1/3/0/2/130271098/kikoxuselum.pdf
    • http://yigga.com/uploads/1/3/0/6/130639152/d5fda24.pdf
    • http://thememo.ca/uploads/1/3/0/7/130739194/xagul.pdf
    • http://mistersack.net/uploads/1/3/0/6/130621220/4772878.pdf
    • http://pasadena-dogtraining.com/uploads/1/3/0/4/130483805/1712387.pdf
    • http://www.raedans.com/uploads/1/3/0/5/130539238/laxuperirorolojo.pdf
    • http://kingshotelsmunichcenter.devsite-1.com/uploads/1/3/0/5/130588574/130588574.html#leadership+style+autocratic+democratic+laissez+faire
    • http://accuagencywebsites.com/uploads/1/3/0/7/130739479/zi

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003535.bin
9870c884dd6e450fb42143a6e17b42e5e3dc59c66b8cad80c6eb7379339c2a6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3535 16120 bytes
font_01_sfnt_off00004c8a.bin
d6cb6c2f69a6f9dc6ac47552ccdd795b730e5445732706f0c920e842b4e6612d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C8A 7696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.