Malicious PDF — malware analysis report

Static analysis result for SHA-256 12796a65acfda97d…

MALICIOUS

PDF

37.3 KB Authoring application: Smallpdf Desktop
MD5: 6aa868d307b3fad2b6913db0c179527d SHA-1: 7aab08d0d160b6dc61e9addfe0eec5daea59ce8b SHA-256: 12796a65acfda97d46188a5cf455c7123e195dcfd20de7bef7018b31b8034723
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by multiple heuristics, including ClamAV and an ML classifier, and exhibits a large number of embedded external links. The document body, though partially corrupted, contains references to these links, suggesting a link farm or redirection scheme. The primary attack pattern involves leveraging these numerous URLs to potentially distribute malware or engage in phishing activities.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zojuputumo.weebly.com/uploads/1/3/0/5/130543019/481561.pdf
    • http://selleri.fi/uploads/1/3/0/6/130604024/jaziwegeda_kagimotuso_jejebil_wilifeferuradep.pdf
    • http://prideygirlpetcare.com/uploads/1/3/0/5/130550948/wamevil.pdf
    • https://watilubumu.weebly.com/uploads/1/3/0/5/130550921/gomatek.pdf
    • http://gukiratuge.murciaon.com/uploads/2020/01/29/8870595.pdf
    • http://asmiskfo.ru/uploads/2020/01/27/finebogimepe.pdf
    • http://vonunevus.interio-mosaic.ru/uploads/2020/01/28/1486900.pdf
    • http://rik.itplanet.agency/uploads/2020/01/27/0d0ce199.pdf
    • http://ribikar.salado.ru/uploads/2020/01/29/zivifaz-wudutupozudan-gurofoje.pdf
    • https://fikisefumuzik.weebly.com/uploads/1/3/0/2/130273931/junatatefa-gurawojokafu-zesajolis-welofuforo.pdf
    • https://pefinofikapo.weebly.com/uploads/1/3/0/2/130289346/moniwuzozedon-zevogof-xezeloxul-limefigexava.pdf
    • http://miss-america-protest.com/uploads/1/3/0/3/130379959/3769318.pdf
    • http://couplefamilytherapyn16.weebly.com/uploads/1/3/0/6/130639699/b51dcfef02.pdf
    • http://xal.sayt-nedorogo.ru/uploads/2020/01/29/121af1134d0a20.pdf
    • http://tricolor-volokamske.ru/uploads/2020/01/27/sesijarazoj.pdf
    • http://betava.eowe.xyz/uploads/2020/01/28/8656330.pdf
    • https://jenunetewu.weebly.com/uploads/1/3/0/6/130604764/neziwifovuligimawa.pdf
    • http://vubesif.javaprog.online/uploads/2020/01/27/3810149.pdf
    • http://healthcarerealestate.ca/uploads/1/3/0/6/130621011/6addd.pdf
    • http://systecaiml.com/uploads/1/3/0/6/130604240/751a58e89ade.pdf
    • http://adoptme.info/uploads/1/3/0/5/130590336/130590336.html#animal+farm+book+summary+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001604.bin
260775f6d5319fb4a14d62a2673112f28420a8f5a1882bb3fecbbe6c2a11d3be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1604 7812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.