Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f14089bd60229cc…

MALICIOUS

PDF

51.8 KB Authoring application: PDFBox
MD5: d21634d861a6c38d1cec0cc1a94a3ab4 SHA-1: 0f8df12f1b6455461ad325ce367c4c455371e3c4 SHA-256: 1f14089bd60229cc98816f5ceaa0fa7d61b97fe788dc972624b930d3769296bf
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by ClamAV and an ML classifier, specifically flagged as a phishing attempt. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous embedded links, suggesting a tactic to redirect users to potentially harmful external content. The document body, though partially corrupted, contains URLs that align with the link farm heuristic, reinforcing the phishing or malware distribution intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cck-iuc.org/uploads/1/3/0/2/130287495/wofotupevebudar.pdf
    • http://pocketshows.com/uploads/1/3/0/7/130739227/4903581.pdf
    • http://conneracup.com/uploads/1/3/0/5/130588616/a3c47d27.pdf
    • http://veteransmusicfest.com/uploads/1/3/0/5/130538842/zugulovubapase-fipimawafibugox-negekezari-rutakexorefigo.pdf
    • http://tabithasdesigns.org/uploads/1/3/0/5/130550887/084be0d3e9ffc1d.pdf
    • http://mangocitrus.ca/uploads/1/3/0/4/130435888/46e296d5f190b.pdf
    • http://dizuxamej.thisthoughts.com/uploads/2020/01/28/bolapinopur_lijanu.pdf
    • http://madebybarone.com/uploads/1/3/0/4/130476101/8592966.pdf
    • http://dillybeanscateringandcafe.com/uploads/1/3/0/5/130590700/jupalaxabuxurujod.pdf
    • http://northwestuu.com/uploads/1/3/0/5/130588296/130588296.html#ketoacidosis+guidelines+nice

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001213.bin
514a9463387b820e30ee6b544239572eab9c1efcb19494b730c649d526918a91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1213 8028 bytes
font_01_sfnt_off00009020.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9020 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.