Malicious PDF — malware analysis report

Static analysis result for SHA-256 09a27bc7428ca10d…

MALICIOUS

PDF

136.0 KB Authoring application: Adobe PDF Library 9.0
MD5: 529bf3748085c03a83c6fc890b3f1cb3 SHA-1: dccc1431ddcc7cf40559fb8bf8502265e19457f4 SHA-256: 09a27bc7428ca10d32867755383224e23cf2df700ca5e9514ad58e48a4c8bc45
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of embedded URLs pointing to other PDF files, suggesting a link farm or redirection mechanism. The document body, though heavily obfuscated, also contains embedded URLs. The primary attack pattern appears to be the distribution of malicious links rather than direct exploitation within the PDF itself.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://educationforsustainableliving.ca/uploads/1/3/0/6/130620873/jawasijexijijes-xetanogu.pdf
    • http://info.capacitacionempresarial.la/uploads/1/3/0/5/130543663/rumusomekog_poralosuzalilof_rofedivege_puvamusud.pdf
    • http://jfainnovative.com/uploads/1/3/0/4/130488750/4952238.pdf
    • http://ninjagoartoftheninja.com/uploads/1/3/0/6/130620619/dexawivoj.pdf
    • http://ladcanada.org/uploads/1/3/0/5/130551615/jusamojevoj_wujasigol_fopunopaseno_zisatu.pdf
    • http://royalflorals.com/uploads/1/3/0/2/130291493/ac9f05ccd5dcfd.pdf
    • http://laurynstanlake.com/uploads/1/3/0/5/130588452/93e0497999eef3a.pdf
    • http://wickedfreshsalad.com/uploads/1/3/0/2/130271206/5a9f80bcfd5.pdf
    • http://dataforgood.design/uploads/1/3/0/6/130604519/717f1a5bc.pdf
    • http://mootsmarketing.com/uploads/1/3/0/7/130776316/vavevusapoxataguz.pdf
    • http://tryshashby-rolls.com/uploads/1/3/0/2/130291352/vedazegujexojevagup.pdf
    • http://www.adtest.site/uploads/1/3/0/7/130739232/6216527.pdf
    • http://sadeamiarts.com/uploads/1/3/0/7/130739197/30d6df82b.pdf
    • http://3mtruedefinition.com/uploads/1/3/0/5/130588827/3fcf0a23.pdf
    • http://mvctk.com/uploads/1/3/0/4/130483074/1d146bd0.pdf
    • http://maniacalragetv.net/uploads/1/3/0/6/130605069/9047d144.pdf
    • http://aldensuites.devsite-1.com/uploads/1/3/0/7/130739117/130739117.html#ebola+wikipedia+nederlands
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001370.bin
3e81bc309725b796ba2cbe904952001704040473f8793aec9eab8ac7ee4b96b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1370 10236 bytes
font_01_sfnt_off00014faa.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14FAA 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.