PDF malware analysis — malicious · 0460bce817081df4

MALICIOUS

PDF

60.5 KB Authoring application: SWFTools

MD5: 648cc4d1b3ef91c6b069cfeba846f3c1 SHA-1: 0e030d5cbf6a3fc06d11af6259fdbe8e818aedb4 SHA-256: 0460bce817081df4b928d36878dc733112fad6612c9da61f69d4350df042f78c

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also indicate maliciousness, likely related to phishing or spam distribution. The embedded URLs are the primary indicators of compromise, suggesting a campaign to drive traffic to these external resources.

Machine Learning

Nyx PDF Classifier malicious score 0.9997

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://nyman.life/uploads/1/3/0/4/130483576/d6e5af10287.pdf
- http://etergrow.com/uploads/1/3/0/3/130323164/5654395.pdf
- http://bandstore.net/uploads/1/3/0/5/130550752/4485462.pdf
- http://www.ongediertebestrijding-kampen.com/uploads/1/3/0/3/130323415/sobemafer.pdf
- http://nortmilkendigital.com/uploads/1/3/0/6/130604259/ed35c9a28e2ccb7.pdf
- http://3gatewaycenter.com/uploads/1/3/0/3/130379297/fatukizoxej.pdf
- http://williamfrankel.com/uploads/1/3/0/5/130551177/783818.pdf
- http://www.iscremodeling.com/uploads/1/3/0/5/130590511/sadutij-fedexedomedid-fonipilazusonok-xuxekagotulolew.pdf
- http://webdisk.goodtimessinger.com/uploads/1/3/0/4/130476152/8a85b3f.pdf
- http://triajecareservices.co.uk/uploads/1/3/0/9/130969974/jerofolatax_tobola.pdf
- http://flowm.io/uploads/1/3/0/5/130541137/sogefumedawapef-mekatinasojej.pdf
- http://www.holistichealinggranada.com/uploads/1/3/0/2/130288532/7a904fde291bd.pdf
- http://prayassociates.gift/uploads/1/3/0/5/130546294/liben-fezot-tagud-kidavawijax.pdf
- http://energiasenal.com/uploads/1/3/0/5/130547418/731394.pdf
- http://torqdrft.com/uploads/1/3/0/4/130477252/5412314.pdf
- http://pelabarba.com/uploads/1/3/0/2/130271076/sogapibadegilip.pdf
- http://umbau.us/uploads/1/3/0/5/130540266/zuwizuvunoxidu.pdf
- http://www.alldogsaresmart.info/uploads/1/3/0/5/130539554/viwitugiwibuzij-wiwereziwe.pdf
- http://howlingdog.ca/uploads/1/3/0/3/130379222/49d766e39dc.pdf
- http://mkmyoga.com/uploads/1/3/0/7/130738909/8160252.pdf
- http://plaguepilgrim.com/uploads/1/3/0/8/130814855/rekopelopagugo.pdf
- http://maintco.org/uploads/1/3/0/4/130483848/1260b1805633.pdf
- http://dartistessalon.com/uploads/1/3/0/4/130476342/4961906.pdf
- http://gkbbbq6.brdge.org/uploads/1/3/0/2/130272886/130272886.html#ultrasound+guided+suprascapular+nerve+block+video
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000147a.bin` `511683255ee4c30f6e8ec6aac829c957e91c2b3f3c31395557ee9e5e96f79047`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x147A	8700 bytes
`font_01_sfnt_off0000a98a.bin` `bde475f8daf2763ac8b4cd59ecddfcae3f7de11c80a62175665df95184a9bd09`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA98A	2912 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.