Malicious PDF — malware analysis report

Static analysis result for SHA-256 054cef0e3783acec…

MALICIOUS

PDF

31.4 KB Authoring application: ImageMagick
MD5: 8a1bc75a65e4853bf6d18342aca3d3cf SHA-1: 22bb07189184dfd95881f23bf17a6d1847543fb6 SHA-256: 054cef0e3783aceca32934daecf5c0aa60b224b60642c208ba2dc7be443caeac
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs pointing to external PDF files, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or distributing further malware. While no scripts were explicitly extracted, the PDF structure itself facilitates the redirection to these external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lawuwexal.daewoo.fun/uploads/2020/01/28/wekomitusa_safobewojuj.pdf
    • http://gutefit.tapuzik.com/uploads/2020/01/28/e1fba304.pdf
    • http://myartisfashion.com/uploads/1/3/0/4/130483678/tedesuzidi.pdf
    • http://ketone.com/uploads/1/3/0/2/130271161/1988389.pdf
    • http://globaledumap.org/uploads/2020/01/28/disudi-kijibok-mezakapebakez-togopal.pdf
    • http://michaelshusko.com/uploads/1/3/0/5/130546759/130546759.html#caballo+de+troya+3+pdf+jj+benitez

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001104.bin
6248f09dd7b328ba03c9325caef4de870ca39dbc17bfe26094814a64c7f4565b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1104 9420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.