Malicious PDF — malware analysis report

Static analysis result for SHA-256 01d914f8f86c1a1d…

MALICIOUS

PDF

49.0 KB Authoring application: PDFBox
MD5: 16168779dcaca86d91840eb2fff5141a SHA-1: 5e34d3211e9d19548680a23ca2f62fb7eab0bf8c SHA-256: 01d914f8f86c1a1d5139619d5c502cbf97274ba43515ea59262dc9ab6eba5ff5
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, which strongly suggests a link farm or phishing campaign. The ClamAV detection and ML classifier further confirm its malicious nature. While no scripts were explicitly extracted, the structure and URL distribution indicate an attempt to redirect users to potentially malicious external content, likely for SEO manipulation or to host further stages of an attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jimrollins.net/uploads/1/3/0/8/130814065/2796071.pdf
    • http://partisanrecords.net/uploads/1/3/0/6/130621436/fewiz.pdf
    • http://slushproductions.com/uploads/1/3/0/6/130604309/fawukodewerikov_rugejitatizunof.pdf
    • http://positivelygroovy.net/uploads/1/3/0/8/130814238/sivosodojuluke_fenujovivewu_novabagutewam.pdf
    • http://global4xloan.com/uploads/1/3/0/3/130379342/936465.pdf
    • http://nshoilpurifier.com/uploads/1/3/0/6/130639209/zudajuduxowu_tanovor.pdf
    • http://vojefana.onlyoil.ru/uploads/2020/01/29/koxib.pdf
    • http://monthlytights.net/uploads/1/3/0/5/130544067/7a2354c2.pdf
    • http://kreativekidsworld.com/uploads/1/3/0/5/130538891/130538891.html#ethanol+metabolism+rate+calculator
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000123d.bin
328f15b1d2899eb33e23f9fcbd595bc9411db8eca537a649d06206172aee3bd6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x123D 9060 bytes
font_01_sfnt_off000083d3.bin
abf3d494d2df6e1da74bb87fc3e2c5286dba45d599c33d38ae9219503d5ec8e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83D3 3008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.