Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d39982eb04f2aa2…

MALICIOUS

PDF

37.9 KB Authoring application: PDFBox
MD5: 16fc13ef3347b4e2f2163782c9df3b95 SHA-1: 65d2ce33a618a57809899cc74a9b52528604a6bf SHA-256: 0d39982eb04f2aa27d20fc31529af2227015ab9b4d3310d94aee295dd9d12e07
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a coordinated effort to distribute content or manipulate search engine results. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nora-pauli.net/uploads/1/3/0/3/130379363/8920005.pdf
    • http://nationalhellenicsociety.net/uploads/1/3/0/4/130483799/pusewup-livegavibotome.pdf
    • http://longviewinvestments.net/uploads/1/3/0/7/130775589/pudawus.pdf
    • http://joaozinhoautomoveis.com/uploads/1/3/0/5/130539205/mijidis_gowes_kejedima_raperopazajak.pdf
    • http://shopmaggiemaeboutique.com/uploads/1/3/0/4/130488316/e85977e.pdf
    • http://www.sarahlaurencollins.com/uploads/1/3/0/6/130620532/ziwuro.pdf
    • http://varconstruction.net/uploads/1/3/0/2/130291471/9800e8186be1f6.pdf
    • http://pearlporch.com/uploads/1/3/0/2/130273752/2591778.pdf
    • http://mta-sts.savoringsonoma.com/uploads/1/3/0/6/130640024/6082102.pdf
    • http://moodymusick.org/uploads/1/3/0/7/130776562/8679035.pdf
    • http://burrillvilledemocrats.org/uploads/1/3/0/6/130605421/zifakareje.pdf
    • http://tydalwf.com/uploads/1/3/0/7/130739430/7729386.pdf
    • http://msjacques-purdysclassroom.com/uploads/1/3/0/5/130590323/kepaburen.pdf
    • http://botoxalpharetta.com/uploads/1/3/0/5/130551604/dd248.pdf
    • http://puppyparentpro.com/uploads/1/3/0/7/130739210/3965710.pdf
    • http://advontech.com/uploads/1/3/0/9/130969115/vukarixowoxabap-vekejatele-rudedazuxex-pilonolox.pdf
    • http://www.schwabelfab.net/uploads/1/3/0/6/130620811/wunenom.pdf
    • http://nzacres2019.nz/uploads/1/3/0/2/130271121/8237766.pdf
    • http://triplea-solutions.com/uploads/1/3/0/2/130270904/sefagel-poviwejak-nulojatuzilupaz-xipex.pdf
    • http://automatiqmeasurementsystems.com/uploads/1/3/0/6/130620757/9366004.pdf
    • http://ecuador-seo.com/uploads/1/3/0/6/130622013/papimavof.pdf
    • http://glbesatesales.com/uploads/1/3/0/6/130621908/towatetabav_zuradep_maviwif_jowelaveli.pdf
    • http://myprizeonline.com/uploads/1/3/0/4/130478551/4658808.pdf
    • http://liebesrotflueh2017-de.devsite-1.com/uploads/1/3/0/7/130776673/130776673.html#average+total+cost+average+fixed+cost+average+variable+cost

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f4b.bin
f5a901b76d6aa39865323ac4e590bb7bbea8e393569fc87fa303b1e5fad9c81f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F4B 8564 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.