Malicious PDF — malware analysis report

Static analysis result for SHA-256 02d11f09fb54b442…

MALICIOUS

PDF

48.7 KB Authoring application: Poppler-utils
MD5: 809fa9bceb53f39b893a0ba79100b0d5 SHA-1: 35019ec46c51ce17ddb194bbc215718f69ba7798 SHA-256: 02d11f09fb54b4428340382c5c989415caf62b2123ed43618eb06b87477ae1d2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a malicious intent to redirect users to potentially harmful content or to manipulate search engine rankings. The ClamAV detection and ML classifier further support its malicious nature, indicating it is likely a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ifixhomesllc.com/uploads/1/3/0/6/130639398/9966048.pdf
    • http://mta-sts.jasonhoppe.com/uploads/1/3/0/7/130775746/6998452.pdf
    • http://mnechemia.com/uploads/1/3/0/7/130740128/3738925.pdf
    • http://ameskornerstore.com/uploads/1/3/0/5/130551257/7923629.pdf
    • http://fatherlessamerica.net/uploads/1/3/0/6/130640022/mumebepexukal.pdf
    • http://team11-dwts4hope.com/uploads/1/3/0/3/130313641/9456443.pdf
    • http://effectiveinfotech.com/uploads/1/3/0/4/130483515/xozabi_donemax_dojul_nutilevu.pdf
    • http://sticktohim.com/uploads/1/3/0/3/130313398/narawep_gowidewisanupov_zotosorinokozo.pdf
    • http://sikhcouncilbirmingham.org/uploads/1/3/0/5/130590158/nawisuvulozabosifeje.pdf
    • http://marieandrees.com/uploads/1/3/0/5/130540926/kivabiwuga.pdf
    • http://themindfulchristian.net/uploads/1/3/0/8/130874189/3867241.pdf
    • http://index92.pleasingfood.com/uploads/1/3/0/5/130588547/130588547.html#airtel+digital+tv+monthly+packages+in+assam
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004de8.bin
32b54217619f9438721b423dc2f4f4da0f78781b0811ea49af2be6b0310ecf56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DE8 16164 bytes
font_01_sfnt_off000065f3.bin
a12791ca9f6c259fbba7807fedf489746331a7b541d689befc53370888ac1216		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65F3 8616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.