Malicious PDF — malware analysis report

Static analysis result for SHA-256 1dc419f1cc26616a…

MALICIOUS

PDF

30.6 KB Authoring application: Mobipocket Creator
MD5: eed8d4b658a6359f16d2731f2342c5f9 SHA-1: b8325edce7e09f6cec5ebd404f6004a6bf050f8e SHA-256: 1dc419f1cc26616a370fba4f022f5153551595b4941a3a056007093bdbba7f2d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The PDF_SEO_LINK_FARM heuristic identified a large number of embedded URLs, with the first being http://thehavens.club/uploads/1/3/0/7/130739346/fiwujapajixige.pdf. This suggests the document is designed to distribute malicious content or manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thehavens.club/uploads/1/3/0/7/130739346/fiwujapajixige.pdf
    • http://7hcyi.bpmtc.com/uploads/1/3/0/5/130590393/lodugoxufo_wefunodafig.pdf
    • http://thejohnv.studio/uploads/1/3/0/6/130603926/wizujotababake_buzewexomagik.pdf
    • http://alabama911group.com/uploads/1/3/0/4/130436271/5388970.pdf
    • http://lifevesselsantafe.com/uploads/1/3/0/2/130273894/3858331.pdf
    • http://keyofkaye.com/uploads/1/3/0/5/130547527/gidodirod_xejagik.pdf
    • http://outlwslvemchine.co/uploads/1/3/0/6/130620366/naruz.pdf
    • http://alessandrocorezzola.org/uploads/1/3/0/8/130813489/1142819.pdf
    • http://acandleaffairbyangela.com/uploads/1/3/0/2/130287934/5faf9b.pdf
    • http://mrefael.design/uploads/1/3/0/6/130604879/2577226.pdf
    • http://tie-atlanta.com/uploads/1/3/0/6/130604152/zasumawe.pdf
    • http://rocksolidskilltraining.com/uploads/1/3/0/2/130272350/baf1a1de8c0.pdf
    • http://tikadek.store/uploads/1/3/0/7/130776602/9614597.pdf
    • http://hairballheaven.com/uploads/1/3/0/3/130379583/topumeluvolatupabu.pdf
    • http://mx.joshdollison.com/uploads/1/3/0/6/130604532/jobowafudodel_jejikokogakaniz_kuwaxeri.pdf
    • http://hollandfotovideo.com/uploads/1/3/0/4/130483863/2361372.pdf
    • http://tribemotif.com/uploads/1/3/0/5/130590054/leranukasazeg-nukotovejesuno-miromemi-mepuzixafo.pdf
    • http://e-learninganddesign.com/uploads/1/3/0/6/130639117/fipamedi.pdf
    • http://tracysrocksolid.pink/uploads/1/3/0/6/130621176/dufatovitinek_wepabatupas.pdf
    • http://productiveproductcreation.com/uploads/1/3/0/7/130775820/6735127.pdf
    • http://getthevideos.com/uploads/1/3/0/7/130776233/8878397.pdf
    • http://professionalrenovationsofhamptonroads.com/uploads/1/3/0/5/130544385/b0df45a623cbbe3.pdf
    • http://www.norkhilausplants.com/uploads/1/3/0/7/130776421/aeb85dccfb6c.pdf
    • http://uneventerrain.com/uploads/1/3/0/7/130776817/jaluxexifisoxa-visumevirizon.pdf
    • http://bet365yulechengwangzhi.br3h.com/uploads/1/3/0/5/130539437/130539437.html#pdf+accessibility+checker+title+failed
    • http://productiveproductcreation.com/u

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001841.bin
eaa9b55202e7d199c5e60679e59c7b6d6cfe9f92d8be366708d33848ea46a369		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1841 6148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.