Malicious PDF — malware analysis report

Static analysis result for SHA-256 0bd182d31f120526…

MALICIOUS

PDF

37.2 KB Authoring application: PDFedit
MD5: 2d4f518bb9d57d507a0b6881c9f71e01 SHA-1: 62c505a30f194ae58e1da6e564ca3b432670f783 SHA-256: 0bd182d31f120526da160a70f21a245de1cd3d611697a79798b4595d93ca0be1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. No scripts were extracted, but the embedded URL structure is the primary indicator of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://elispinheirobellydance.com/uploads/1/3/0/7/130740000/f9513.pdf
    • http://bobdechert.com/uploads/1/3/0/6/130621279/vukemifenititaz.pdf
    • http://easyphpwebsites.com/uploads/1/3/0/6/130603767/rogarupoleri.pdf
    • http://roseynaturals.co.uk/uploads/1/3/0/6/130604270/zoxifiniwebam.pdf
    • http://azaharaong.com/uploads/1/3/0/6/130605015/9185482.pdf
    • http://myrallylife.com/uploads/1/3/0/7/130776407/550215.pdf
    • http://www.wimaumamatters.com/uploads/1/3/0/2/130289510/mepotuvujefegov_nuparulojukemuk_wubiw.pdf
    • http://roxandsol.com/uploads/1/3/0/5/130588272/fuzekinujurugubow.pdf
    • http://mx.shopandcarry.com/uploads/1/3/0/6/130604533/wopuse-taferarozanik-vavanedit-nisabafakatiwok.pdf
    • http://arogyamart.com/uploads/1/3/0/2/130272266/78c08b4c791ab.pdf
    • http://myrottweiler.org/uploads/1/3/0/8/130813417/bikugapib.pdf
    • http://urdentistpvr.com/uploads/1/3/0/6/130620873/sotologi_pomozexumapidud_mexotagexoti_gowupalaru.pdf
    • http://drinkhereplayhere.com/uploads/1/3/0/7/130774962/bogomaladux.pdf
    • http://neverwhisper.com/uploads/1/3/0/5/130540700/bososodegimana-sekiz-jobivasikelax.pdf
    • http://www.thebaserevelstoke.com/uploads/1/3/0/8/130873997/8271743.pdf
    • http://theorderoftheoak.org/uploads/1/3/0/7/130775596/229b6a1a5dde.pdf
    • http://32shadesofgreen.com/uploads/1/3/0/6/130604771/lenanosexetume-vogaxewel.pdf
    • http://riversidecountyhistory.org/uploads/1/3/0/9/130969759/130969759.html#curso+de+ingles+tiempos+verbales+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003603.bin
385d428c2e5ed0be5f79f7229e2a67f910ff8b5a1b3d4f517e5d576f4e57f809		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3603 7904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.