Malicious PDF — malware analysis report

Static analysis result for SHA-256 034c3ff81b02deef…

MALICIOUS

PDF

38.9 KB Authoring application: QPDF
MD5: d20d5228d36f57b5093fcb196812badd SHA-1: d954038c3bdfa3e5a9a9e6ceee6ed2b13c3854a6 SHA-256: 034c3ff81b02deef11c2570ea2b399690fb380d20c4b41d950c15a1f11267bc1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://poeonline.net/uploads/1/3/0/4/130435717/tivipolakidufaw.pdf
    • http://dancedietitian.com/uploads/1/3/0/3/130313169/xizusux.pdf
    • http://www.retro-beatz.com/uploads/1/3/0/3/130323979/xeroxejenewafadaxo.pdf
    • http://abimanyuvillasbali.com/uploads/1/3/0/8/130874108/9289575.pdf
    • http://aldf.ca/uploads/1/3/0/5/130545597/biwupogu-rirudagonup.pdf
    • http://thepublicsociety.net/uploads/1/3/0/6/130605190/9b34ef43d4a001.pdf
    • http://lidiabrito.com/uploads/1/3/0/5/130551144/853040.pdf
    • http://amateurthongs.com/uploads/1/3/0/2/130272979/wugojuwifixalip_rimebu.pdf
    • http://thesugarlifeco.net/uploads/1/3/0/8/130814355/puwez_sesosowesoviwi_pusidovoxi_pefades.pdf
    • http://peoplesgreenparty.org/uploads/1/3/0/9/130969403/9828859.pdf
    • http://laketravischeerleading.com/uploads/1/3/0/8/130814345/3610069.pdf
    • http://wellnesslifestylelounge.com/uploads/1/3/0/7/130776330/nanajanaranodobov.pdf
    • http://jellstreats.com/uploads/1/3/0/3/130323342/8a17851c8b1fb3a.pdf
    • http://rockthecatspa.us/uploads/1/3/0/6/130621006/zizadivowetif-walilen-rijonisobuwe.pdf
    • http://ghoulstock.com/uploads/1/3/0/8/130874130/2784979.pdf
    • http://a1096165xstreamtravel.xsideas.com/uploads/1/3/0/5/130540214/130540214.html#bayesian+ideas+and+data+analysis+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003d00.bin
fdc0c06d0fe7b40e66da66c340777c81ff7d80563a9a3420d6259dac5b3b357f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D00 8108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.