Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d67ef78ce9464b2…

MALICIOUS

PDF

52.6 KB Authoring application: Serif PagePlus
MD5: 7aebfbd3dd07fd71b85cee6285821a6b SHA-1: 86e9bdd1c035c3b1297979bed9f60ac0cdcadf8c SHA-256: 0d67ef78ce9464b2c37e9e2390a6bf70139aa7c2afc8a430b1d4bfa9cc355385
180 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO poisoning or distributing further malicious content. The heuristic 'PDF_SEO_LINK_FARM' and ClamAV's detection of 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly indicate malicious intent. While no scripts were explicitly extracted, the structure and embedded URLs suggest a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://trucarelawns.com/uploads/1/3/0/6/130604215/datew_bipurezugir_sasosaloniweli.pdf
    • http://balticsportsciencesociety.com/uploads/1/3/0/7/130775865/tukipewanin.pdf
    • http://biosforza.com/uploads/1/3/0/6/130620334/rasalukarizadi_xikolifavik.pdf
    • http://millmaneyeassocaitesllc.com/uploads/1/3/0/4/130435803/91555c.pdf
    • http://beatologystudios.com/uploads/1/3/0/5/130588165/fikaporujulilam-gatadoditefej-wimavomi.pdf
    • http://strawhatgames.com/uploads/1/3/0/5/130543368/dulelos-naxidulob-kemijakakomixe.pdf
    • http://sparkfizz.net/uploads/1/3/0/4/130478205/3500484.pdf
    • http://nellie-vanbruggen-edu.ca/uploads/1/3/0/6/130640010/130640010.html#grade+2+maths+worksheets+pdf+south+africa
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000125e.bin
3c424092f8e6ea255eae8104a996bc98c621cc7867ba3b54ac565993406a57e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125E 9396 bytes
font_01_sfnt_off00007f1c.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F1C 16036 bytes
font_02_sfnt_off00009341.bin
2c32c498f23db3cae400dac070c72b38d41a5d5dbe5041cbe08e7cee44e1acfd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9341 2648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.