Malicious PDF — malware analysis report

Static analysis result for SHA-256 099218ed6e99d6e2…

MALICIOUS

PDF

33.8 KB Authoring application: Adobe PDF Library 9.0
MD5: c22202fa228e5f9cb4cabd1f4ae7f65a SHA-1: 2eaeda806a13d65721335a9259afc66696e7d723 SHA-256: 099218ed6e99d6e2da71a6450859f2ce731761c1424da389f4cf24a503b98104
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file was identified as malicious by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection. The embedded content, though heavily obfuscated, contains numerous URLs pointing to external PDF files. This suggests a link farm or redirection tactic, likely to distribute further malware or conduct phishing operations.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rockvalleydistillery.com/uploads/1/3/0/2/130289663/vigokavakibefid-riropisili.pdf
    • http://oldskoolroots.com/uploads/1/3/0/9/130969878/bikopivaroxigijilu.pdf
    • http://mondokdentalmexico.com/uploads/1/3/0/7/130740129/sujonuzodubomuvokiba.pdf
    • http://thehnossaproject.com/uploads/1/3/0/5/130590368/lodekugimimufoxo.pdf
    • http://homesuitedesign.com/uploads/1/3/0/2/130271080/1fdfcd63f488.pdf
    • http://sparkleandshineshowclothes.ca/uploads/1/3/0/2/130271121/xibovabilag.pdf
    • http://dancingarrowresources.com/uploads/1/3/0/5/130543141/kubusojuguz.pdf
    • http://www.doobiedoowop.com/uploads/1/3/0/6/130620745/gomokijotapuvir.pdf
    • http://nwintegrativeprimarycare.com/uploads/1/3/0/6/130603737/997b75de4.pdf
    • http://blamepeopleforthat.com/uploads/1/3/0/3/130323291/7300459.pdf
    • http://collabsys.com/uploads/1/3/0/2/130272586/8113230.pdf
    • http://risingskyproductions.com/uploads/1/3/0/2/130288421/mexupajakim.pdf
    • http://iandainfectiousdisease.com/uploads/1/3/0/5/130550665/5056296.pdf
    • http://hardwaterco.com/uploads/1/3/0/4/130476458/boboxarofaj_bejisijogab_luxuze.pdf
    • http://bellasolcontrol.com/uploads/1/3/0/6/130620979/nomimola.pdf
    • http://difficultdriving.com/uploads/1/3/0/5/130551630/givufelasitofuxoba.pdf
    • http://74-123-73-16.mgwnet.com/uploads/1/3/0/7/130775723/130775723.html#appsc+group+2+prelims+question+paper+2017

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000282b.bin
08a52c0767b866a73e0057584346732e17df58b9a467df24232596db97e44da0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x282B 7744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.