Malicious PDF — malware analysis report

Static analysis result for SHA-256 103e906a6ff891cc…

MALICIOUS

PDF

41.7 KB Authoring application: SWFTools
MD5: 826af3199170dab3b78e012292ea47d3 SHA-1: 8dbe3759fb579075589643dc5b983ed70db387f0 SHA-256: 103e906a6ff891cc258cbd985256b96b915c397504d65cda6e384d1212723ec0
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious websites. The heuristic 'PDF_SEO_LINK_FARM' and the ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly indicate malicious intent. While no scripts were explicitly extracted, the presence of numerous links suggests a phishing or redirection attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mrulmersmathunit.com/uploads/1/3/0/8/130814248/7044895.pdf
    • http://grassrootsdrift.com/uploads/1/3/0/5/130588550/65d6f9d9f.pdf
    • http://www.robotbellybutton.com/uploads/1/3/0/7/130776555/17d83.pdf
    • http://ubaentertainment.com/uploads/1/3/0/4/130477252/159cb.pdf
    • http://financialhelpforcancer.org/uploads/1/3/0/8/130874305/713846.pdf
    • http://polarsense.com/uploads/1/3/0/3/130313000/5389071.pdf
    • http://jimslawnservice.org/uploads/1/3/0/9/130969717/sevejerag_zanoped.pdf
    • http://syossetcommunitychurch.org/uploads/1/3/0/5/130551518/sonixa_raxovax_tajabesewiw.pdf
    • http://boxatsantafe.com/uploads/1/3/0/6/130620728/4017827.pdf
    • http://eng.golnazbehrouznia.com/uploads/1/3/0/6/130640109/aa699.pdf
    • http://iachassociation.com/uploads/1/3/0/3/130379363/1179313.pdf
    • http://grillou.fr/uploads/1/3/0/7/130740590/130740590.html#aadhaar+address+update+documents
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000041d3.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41D3 2616 bytes
font_01_sfnt_off00004d78.bin
9f99faf4f80e94b8803b0141d1b7e940951bab08de7768452f853e676dd40b48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D78 7608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.