Malicious PDF — malware analysis report

Static analysis result for SHA-256 0f467e2b35ea4f5a…

MALICIOUS

PDF

47.4 KB Authoring application: Solid Converter PDF
MD5: 6e59b2b2d17332c3b4ca9fa8bf460712 SHA-1: 59fba3d8d310c6fe807735056159ab5030ad1a1c SHA-256: 0f467e2b35ea4f5a31e47af3f030bd608bb52bc83671819d907c3219b1c4fdc8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, which strongly suggests a link farm or redirection scheme. The ML classifier and ClamAV detection further support its malicious nature. While no scripts were extracted, the sheer volume of external links points to a likely phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ezekius.net/uploads/1/3/0/6/130639526/1e148c1f.pdf
    • http://tcvfmchristianradio.com/uploads/1/3/1/0/131070487/lixolutopisarif_gozotu.pdf
    • http://fountainheadselections.com/uploads/1/3/0/6/130622116/wilexojamu.pdf
    • http://netkonnectus.com/uploads/1/3/0/7/130775665/sosiniwiba.pdf
    • http://cpanel.verdantmindandbody.com/uploads/1/3/0/8/130874075/6e63f8a0a23.pdf
    • http://visionsciencestudios.com/uploads/1/3/0/6/130604826/1572795.pdf
    • http://stonesoaps.com/uploads/1/3/0/4/130483256/sesowexejixazigumi.pdf
    • http://lincolnandkaty.com/uploads/1/3/0/6/130639306/zidasusug-vofojomogonafi-xewodurafizubaw.pdf
    • http://xomoe.com/uploads/1/3/0/7/130775339/nudoritopinup.pdf
    • http://microfinanceprofessionals.net/uploads/1/3/0/6/130639358/pifatef.pdf
    • http://atheistpolice.org/uploads/1/3/0/7/130739212/638665.pdf
    • http://my420tins.com/uploads/1/3/0/7/130739773/wegoruf-gedijivowuseso-lotiv.pdf
    • http://fabricoftheearth.com/uploads/1/3/0/6/130621093/1920694.pdf
    • http://www.desertstems.com/uploads/1/3/1/0/131070500/0e767bd5b9.pdf
    • http://iclubgood.net/uploads/1/3/0/6/130639800/vuviwijemebog.pdf
    • http://music4ads.com/uploads/1/3/0/5/130588497/jikibejanebatox.pdf
    • http://alphaomegasolutionstravail.ca/uploads/1/3/0/8/130814200/4c03e5a6fc1c.pdf
    • http://www.ascblackfriarsconference.org/uploads/1/3/0/7/130776371/3667631.pdf
    • http://www.polarityzug.ch/uploads/1/3/0/4/130483509/130483509.html#sharp+pain+on+right+side+of+back+during+pregnancy

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b49.bin
20a1df17a5973cc22c4087191de4a7688635af9ccd316ddc004a99d795b57416		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B49 8392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.