Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d35235078332f1d…

MALICIOUS

PDF

29.3 KB Authoring application: Nitro PDF
MD5: a7a74ff0bb16eafa414a34b9c3fea529 SHA-1: 89f188c9a5d33546e2ae508303c933c577eb2565 SHA-256: 1d35235078332f1dded7c6c672190fa75c5a12f8dcb777c4f17091ff2c77f6dd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links pointing to other PDF files hosted on various domains. This behavior is indicative of a link farm or a phishing campaign designed to drive traffic to malicious content. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wordwatts.com/uploads/1/3/0/4/130483725/7131df1.pdf
    • http://travel-merit.com/uploads/1/3/0/6/130639839/zuvutat.pdf
    • http://smfomp.org/uploads/1/3/0/6/130639901/7355736.pdf
    • http://hawaiieventlighting.com/uploads/1/3/0/6/130621393/potoba.pdf
    • http://trapstick.com/uploads/1/3/0/2/130287940/489d34ae6c24ed1.pdf
    • http://professionalmalevoiceoverservice.com/uploads/1/3/0/3/130313489/pigus_jefeb_gisunonaxazix.pdf
    • http://hostmaster.parafiachmielow.pl/uploads/1/3/0/7/130775455/guxovijagel.pdf
    • http://anchorsnakeoutdoorgear.com/uploads/1/3/0/5/130540046/mebirov.pdf
    • http://carbonproductions.co.uk/uploads/1/3/0/7/130775936/sumuwekadejob-rimub.pdf
    • http://essenceofu.com/uploads/1/3/0/5/130543511/7011729.pdf
    • http://wbagi.com/uploads/1/3/0/6/130639592/7242212.pdf
    • http://alyssavelasco.com/uploads/1/3/0/6/130639498/rilatojefag.pdf
    • http://mxmsupport.com/uploads/1/3/0/5/130539517/ziripubepu.pdf
    • http://shikuangzuqiu2013buding.br3h.com/uploads/1/3/0/9/130969336/130969336.html#amiodarone+causing+pulmonary+fibrosis

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001d71.bin
a42440def158f61094888930045c5e1f92ee802876c06d098371b2273a095dd1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D71 6464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.