Malicious PDF — malware analysis report

Static analysis result for SHA-256 0eeeb78bbfb1a521…

MALICIOUS

PDF

37.2 KB Authoring application: Pdftk
MD5: afa6f8c7f0291f3ff9ec0132672a2f22 SHA-1: 7844508b52697d462085d600503a0c8436334106 SHA-256: 0eeeb78bbfb1a521f7aa65ede2cc529e5b02541e657275a28938c600a2457d1b
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which point to other PDF files, indicating a link farm designed to distribute malicious content or phish users. The ClamAV detection and ML classifier strongly suggest malicious intent. While no scripts were explicitly extracted, the structure and heuristic firings point towards a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://billiondollarpitch.com/uploads/1/3/0/7/130776101/12c2e7a031e200.pdf
    • http://mta-sts.mx.olol-church.com/uploads/1/3/0/7/130739490/zimuf-gukupijod-marekis.pdf
    • http://vacavilleselfstorage.org/uploads/1/3/0/4/130476054/81a5dca.pdf
    • http://shortack.com/uploads/1/3/0/8/130874671/runigutamer.pdf
    • http://trailofhumanity.com/uploads/1/3/0/6/130621294/09fe6d2.pdf
    • http://boekrecensiesblog.com/uploads/1/3/0/3/130323984/9879623.pdf
    • http://myboathaus.com/uploads/1/3/0/2/130291029/mabofusipis_luluna.pdf
    • http://abbyraeder.maryhigginswebdesign.com/uploads/1/3/0/9/130969389/4077390.pdf
    • http://www.monarchcosmetictattoo.com/uploads/1/3/0/4/130435881/93ab5f79.pdf
    • http://opossumpouchwildlife.com/uploads/1/3/0/5/130590257/4386528.pdf
    • http://hgvmanager.com/uploads/1/3/0/4/130476024/ef73a8069.pdf
    • http://jimstahlart.net/uploads/1/3/0/3/130379305/lovoritobutisivu.pdf
    • http://clarksontherapy.com/uploads/1/3/0/6/130621110/dutolulot.pdf
    • http://salvosurfboards.com/uploads/1/3/0/2/130271030/8899515.pdf
    • http://architechart.com/uploads/1/3/0/4/130435826/9683107.pdf
    • http://mail.lillydip.com/uploads/1/3/0/3/130379529/7bcbebe9132d5.pdf
    • http://nicolemartinetti.com/uploads/1/3/0/3/130323155/kovel-sojoditoba-sexibomepuli-wozowarokop.pdf
    • http://panicstudios.net/uploads/1/3/0/6/130640214/ff2d15866526.pdf
    • http://sdsufiji.com/uploads/1/3/0/5/130590154/130590154.html#criminal+cases+of+hearsay+evidence

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000350f.bin
ba62c2aefe12de1063c2606ebb40dc03073fd86b6ab4050af4905cc173e4f5f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x350F 7576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.