Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c1877d79f997c1e…

MALICIOUS

PDF

105.3 KB Authoring application: PDFedit
MD5: b77eee62973d6cc2c9ef3afde57a1279 SHA-1: 768937c275645c04bb363e9fa1205887a6216ad3 SHA-256: 1c1877d79f997c1e057b2c9d9c89bcef92629554ed88d4bb88639006a115b77a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The critical PDF_SEO_LINK_FARM heuristic fired, revealing a large number of embedded external links, with the primary domain being gotravelethiopia.com. The document body, though partially corrupted, also contains several of these URLs. This suggests the PDF is designed as a lure to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gotravelethiopia.com/uploads/1/3/0/2/130273762/5a635eb8134.pdf
    • http://journeytosimplicity.org/uploads/1/3/0/6/130620456/faxeva_taleponat_kiwut.pdf
    • http://moneytipmonday.com/uploads/1/3/0/4/130488304/kabow_wujafopijita.pdf
    • http://mt-akademie.com/uploads/1/3/0/5/130538839/7381192.pdf
    • http://myeduzone.org/uploads/1/3/0/5/130589047/9151441.pdf
    • http://noukstyle.nl/uploads/1/3/0/5/130543099/sevajejaz.pdf
    • http://wisconsinweddingmusic.com/uploads/1/3/0/2/130288492/somulojunu.pdf
    • http://yorktownplumbing.com/uploads/1/3/0/2/130272898/faed8.pdf
    • http://cubiclezombiefilm.com/uploads/1/3/0/5/130589402/wutezuzagozirar-fumutesosu-genap.pdf
    • http://mail.killforeden.com/uploads/1/3/0/4/130489830/4311536.pdf
    • http://debernhardtwood.org.uk/uploads/1/3/0/3/130379094/86fbccfbecfb5.pdf
    • http://mikesfamoussteaksandsubs.com/uploads/1/3/0/2/130287239/bosak-wuvazopovofipuf.pdf
    • http://bellabeautyspa.net/uploads/1/3/0/6/130605146/sifofejo.pdf
    • http://sidewalklegal.com/uploads/1/3/0/4/130488251/37448b7e5c45f7.pdf
    • http://unmysterium.com/uploads/1/3/0/6/130604402/8ecbc5bbe3fe1.pdf
    • http://swag-walk.com/uploads/1/3/0/5/130550928/sudeweba.pdf
    • http://lighteracu.com/uploads/1/3/0/4/130435701/250db17.pdf
    • http://rachelpendergraft.net/uploads/1/3/0/2/130270775/mutomaturazo.pdf
    • http://lazyequalsbroke.com/uploads/1/3/0/4/130477228/xaroroj.pdf
    • http://www.jobped.com/uploads/1/3/0/4/130435956/putomufuz-midosigowu-pedopepapusip.pdf
    • http://betterbodiesgympattaya.com/uploads/1/3/0/5/130539637/bibuda.pdf
    • http://windsongresort.devsite-1.com/uploads/1/3/0/4/130483454/130483454.html#the+maze+runner+book+ending+explained

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016e8.bin
08550377be2990fe87db9de7fea4385133f43d20756b17adab2c7733b668fea5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16E8 8104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.