Malicious PDF — malware analysis report

Static analysis result for SHA-256 058fe2bf82485099…

MALICIOUS

PDF

33.8 KB Authoring application: Poppler-utils
MD5: 7c4dcd01cf70c31309a89f0f52a00c56 SHA-1: be9bdf640615f9c9f4a0b9c8f6fe0b99611ca6e0 SHA-256: 058fe2bf82485099d56f6f10f5116d2482dfe8d05c5016d421b2f39a205c6eb3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The heuristic 'PDF_SEO_LINK_FARM' indicates the document contains a large number of external PDF links, with the first being http://musictheoryhelper.com/uploads/1/3/0/3/130313241/8189113.pdf. This suggests the document's primary purpose is to redirect users to a network of other PDFs, potentially for SEO spam or to host further malicious content. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://musictheoryhelper.com/uploads/1/3/0/3/130313241/8189113.pdf
    • http://pronaffiliate.net/uploads/1/3/0/4/130483625/vezujukazaxo.pdf
    • http://yaldocargo.com/uploads/1/3/0/8/130813314/xabuzokuzimu.pdf
    • http://hostmaster.cellofest.co.uk/uploads/1/3/0/6/130604466/dokarapinoze-dunejiwewufili-rizesiwesagus.pdf
    • http://kidry.com/uploads/1/3/0/6/130605017/jeboruxal-nafimemizazip.pdf
    • http://www.generationjaguar.net/uploads/1/3/0/5/130539033/jizasujadelezokise.pdf
    • http://sococreole.com/uploads/1/3/0/2/130273738/zarovijedunowesere.pdf
    • http://www.forexgrandfinance.com/uploads/1/3/0/7/130739141/waned.pdf
    • http://folsompools.com/uploads/1/3/0/5/130540106/c2ef4.pdf
    • http://kulturperlen-salling.dk/uploads/1/3/0/4/130436122/dedisezuxubudugedok.pdf
    • http://aliveatfive.org/uploads/1/3/0/4/130476607/7767434.pdf
    • http://fulfordconstructionanddesign.com/uploads/1/3/0/4/130491179/8869831.pdf
    • http://cloudsolutionsadvisor.net/uploads/1/3/0/7/130738876/3470317.pdf
    • http://griffinpaintingandmaintenanceptyltd.com/uploads/1/3/0/9/130969990/gigexojalazo.pdf
    • http://nude722.space/uploads/1/3/0/4/130476205/momafafemoxafe.pdf
    • http://mooreequineevents.com/uploads/1/3/0/6/130640015/kugakazobelud.pdf
    • http://thelinemarket.shop/uploads/1/3/0/7/130739308/2c6c5f448.pdf
    • http://marvellousmissmaple.marriedmeakiwi.com/uploads/1/3/0/3/130313253/mezojapunow-jupalenawipup.pdf
    • http://www.northshoreshannon.com/uploads/1/3/0/8/130874361/zafewimit.pdf
    • http://extradecenter.com/uploads/1/3/0/5/130551135/jekopixaxifumelazug.pdf
    • http://zelt1.bpmtc.com/uploads/1/3/0/6/130604042/130604042.html#hindu+astrology+pdf+download
    • http://rjremmel.people.ua.edu/uploads/1/3/0/8/130814900/pideruberok.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000022e7.bin
65f2cb722fb0ed98a97ec4047a823ce1eeada20a3ff312184dbdf9d78f4dc60b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x22E7 7928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.