Malicious PDF — malware analysis report

Static analysis result for SHA-256 14620b438a7bfd0a…

MALICIOUS

PDF

42.8 KB Authoring application: Smallpdf Desktop
MD5: b8cba5661630059c5db413218f23ca66 SHA-1: 58c22668248a01a0894eb342b2a20f64841aaff4 SHA-256: 14620b438a7bfd0a1b086d57332dfa3b095ed21777d49896b9d77deab7608ff3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM', suggesting a tactic to drive traffic to malicious sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output further indicate malicious intent, likely phishing or malware distribution. The embedded URLs are the primary indicators of compromise, pointing to where the malicious content is hosted.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://amanapopcornandicecream.com/uploads/1/3/0/6/130605435/5682538.pdf
    • http://wisculpture.com/uploads/1/3/0/2/130289283/wiluxuvi.pdf
    • https://wafunelitidiko.weebly.com/uploads/1/3/0/5/130541133/394385.pdf
    • http://miles-of-trees.org/uploads/1/3/0/6/130621075/058c2612284d31.pdf
    • http://montgomerycentraljrotc.weebly.com/uploads/1/3/0/2/130289352/foxizokanidav-gajavudave-sukaluxevavo.pdf
    • http://thehappygirlstore.com/uploads/1/3/0/5/130543106/130543106.html#yanni+the+rain+must+fall+sheet+music
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010e0.bin
38c9f53dce4a0d6c881d841894277de627c9442aa4f1c010164de45dfcb92d5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E0 9808 bytes
font_01_sfnt_off000062aa.bin
684a4fedbe8324165d861f219ee6753fc2e47e58a3bb7ab6c3bed7578cca1b10		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62AA 16200 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.