Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e7bcd23f68e6952…

MALICIOUS

PDF

39.4 KB Authoring application: Poppler-utils
MD5: eecbe42925f5bc18fd6a6b3643791646 SHA-1: 49d4570e26af1e862a1776d48ec11e5ae062da84 SHA-256: 0e7bcd23f68e6952807da4401006cd32fa91f98903ab8edb5a0eb8976a006ecc
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. The primary heuristic identified a large number of external PDF links, suggesting a link farm for SEO spam or to distribute further malicious content. While no scripts were extracted, the embedded URLs are the main indicators of compromise, pointing to potentially malicious PDF files hosted on various domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mrcrosbyswebsite.com/uploads/1/3/0/4/130476102/0ff5f7bc99.pdf
    • http://thealiceprince.com/uploads/1/3/0/3/130313293/buxewisakobura.pdf
    • http://bestmassagescottsdale.com/uploads/1/3/0/5/130588591/3368731.pdf
    • http://farmlawyer.com/uploads/1/3/0/6/130621216/dukem.pdf
    • http://powerofthepenpublishing.net/uploads/1/3/0/6/130604620/199ad894.pdf
    • http://thesingbabysingshow.com/uploads/1/3/0/5/130540193/84422ff1.pdf
    • http://lincolnbailbonds.net/uploads/1/3/0/5/130588443/losunebopuniw.pdf
    • http://emilybbakes.com/uploads/1/3/0/8/130813877/vunefukadiduramawen.pdf
    • http://www.fpmsgroup.com/uploads/1/3/0/6/130620209/vinone.pdf
    • http://mworhestra.com/uploads/1/3/0/2/130272575/jogifujiw-bofaf-fafepi-numefewopi.pdf
    • http://elciruelo.org/uploads/1/3/0/4/130490245/47cabb51f34.pdf
    • http://shabbybungalow.com/uploads/1/3/0/8/130814575/vikuz-pigoxina-gubiwadiwuta.pdf
    • http://divinedwelling.org/uploads/1/3/0/7/130776760/d6865ada94c9f3.pdf
    • http://pholi.net/uploads/1/3/0/5/130588403/dobox-xubujuze.pdf
    • http://www.voteforcars.com/uploads/1/3/0/4/130476564/titadibozawapibanon.pdf
    • http://airplusductcleaning.com/uploads/1/3/0/5/130539795/9001937.pdf
    • http://9pucc.slpny.com/uploads/1/3/0/6/130604732/130604732.html#turkish+march+piano+sheet+free

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003b96.bin
209e30d7e1833c1e63a8b75ffd19807030fcd81634884af656b79f44140cc59e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3B96 9636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.