Malicious PDF — malware analysis report

Static analysis result for SHA-256 07463f5d4cacf047…

MALICIOUS

PDF

36.6 KB Authoring application: PDFedit
MD5: d1054ae7d533227eb4fcda972fa3c4ef SHA-1: 5084a55c4090c949bc6a4f0a85e54205d7e9a803 SHA-256: 07463f5d4cacf0478eb0c9a80bbf63945a3b9a7ae4a8621ab1d5ad079c428e01
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. ClamAV also detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', suggesting a phishing or malicious distribution intent. The ML classifier strongly agrees with the malicious verdict. No scripts were extracted, but the sheer volume of external links suggests a campaign to distribute malicious content or manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.esaisnotok.org/uploads/1/3/0/6/130620919/zarotebojugimi_zekalax_vulode.pdf
    • http://farmboy.press/uploads/1/3/0/4/130483428/6678663.pdf
    • http://hokuainvestments.com/uploads/1/3/0/2/130289523/6d309238a55b9.pdf
    • http://mobilebillboardspaloalto.com/uploads/1/3/0/6/130621928/sawedejezujexe_forigubu_roniwumimelu.pdf
    • http://jacksonbell.net/uploads/1/3/0/4/130490245/fegubafisaviz.pdf
    • http://greaterfayettecountychamber.org/uploads/1/3/0/3/130379523/a5024738a53.pdf
    • http://artekcm.com/uploads/1/3/0/6/130621071/aafdf.pdf
    • http://baronwheelweights.com/uploads/1/3/0/4/130483337/vesaxubutem.pdf
    • http://oceanviewlotuvita.com/uploads/1/3/0/6/130639311/30c1083e7a15b.pdf
    • http://madammirage.net/uploads/1/3/0/6/130620479/8042d7.pdf
    • http://childrenslessons.org/uploads/1/3/0/2/130270781/4aca7b84.pdf
    • http://nshslibrary.org/uploads/1/3/0/6/130620267/lisajuk.pdf
    • http://hostmaster.fonddulacchurch.com/uploads/1/3/0/4/130436389/gujozasewuvof.pdf
    • http://placitasdemocratsandfriends.com/uploads/1/3/0/6/130620456/7dbb521c05fb9c.pdf
    • http://help4helpless.org/uploads/1/3/0/7/130776591/5195276.pdf
    • http://lovewisdomfractal.com/uploads/1/3/0/7/130776536/3739799.pdf
    • http://reddingwoodrvpark.com/uploads/1/3/0/6/130620917/roxasibomifegiwix.pdf
    • http://sonriseseattle.org/uploads/1/3/0/6/130621483/0d8fb7c7.pdf
    • http://iniquitasnyc.com/uploads/1/3/0/7/130740044/7728940.pdf
    • http://kitchensdoorsanddrawers.com/uploads/1/3/0/2/130291779/xabekoruj-norulagi-gapema.pdf
    • http://fs13kl.bdgct.com/uploads/1/3/0/7/130738722/130738722.html#act+reading+practice+worksheets+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000318d.bin
2b92f1c13594ab73c0a6632f5fe77464256a95394c32614b8a6603646ca86429		 pdf-font-stream PDF embedded font (sfnt) at offset 0x318D 7848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.