Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d4b9c3b1b420f38…

MALICIOUS

PDF

40.3 KB Authoring application: Poppler-utils
MD5: 1fce7c40e6b15d218cc38be589947e65 SHA-1: 491c5376275b7112b11f2e5e6723d0f8760defbd SHA-256: 0d4b9c3b1b420f38825e6791d43fcd489d4a08203bcfb78ddd097f4960204d3d
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF document contains a large number of links to external PDF files, a technique often used to create link farms for SEO manipulation or to redirect users to malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent, likely related to phishing or malware delivery. The embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://serenielle.com/uploads/1/3/0/6/130639410/sowuditejorup.pdf
    • http://svet.store/uploads/1/3/0/2/130291702/3765380.pdf
    • http://katletki.com/uploads/1/3/0/4/130489023/3345820.pdf
    • http://talesfromsixthgrade.com/uploads/1/3/0/4/130489029/2d7e03f1.pdf
    • http://noahbizermusic.com/uploads/1/3/0/5/130589020/4020621.pdf
    • http://artbyjonmcgaa.com/uploads/1/3/0/3/130323298/kezole.pdf
    • http://newinsightfss.org/uploads/1/3/0/2/130270798/2159c1.pdf
    • http://safechildcoalition.net/uploads/1/3/0/4/130436521/492826.pdf
    • http://adamselementarygear.com/uploads/1/3/0/2/130273578/sixusawotebuwux-rasokezinute.pdf
    • http://kikidawo.aviakompanija.ru/uploads/2020/01/28/pagasaro_merajox.pdf
    • http://propertynearyou.ph/uploads/1/3/0/5/130588248/2319534.pdf
    • http://antiviruseprotectserviceonline.site/uploads/1/3/0/7/130775389/130775389.html#vue+component+template+v-+for

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ee.bin
93037ce3be49ec888daa877708d0bbecff46e7ecb70376c7e83b92e832cbbdbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12EE 8960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.