Malicious PDF — malware analysis report

Static analysis result for SHA-256 2572042c8b0dcfe3…

MALICIOUS

PDF

35.7 KB Authoring application: PDFBox
MD5: eec449374a1ea52edc1f425f6a129c53 SHA-1: 0a49e431ccf0bb534dae5dba62ba957ecc614aa9 SHA-256: 2572042c8b0dcfe3617d1841241f427680628ddb21fb0a45169c43022bb106a6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The critical PDF_SEO_LINK_FARM heuristic identified a large number of external links, with the primary domain being storystickies.com. These links are likely used to redirect users to phishing sites or download further malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://storystickies.com/uploads/1/3/0/7/130740573/21b4caa00.pdf
    • http://investorsbook.com/uploads/1/3/0/2/130272506/sevuzefawakolut_lalebewewavowez_menebupijupivuk.pdf
    • http://mobile-massage-sydney.com/uploads/1/3/0/4/130477335/vopeluxitusovok-bupor-delipetafab-fidajud.pdf
    • http://lyrana.co/uploads/1/3/0/5/130551904/6771519.pdf
    • http://buckssmokingbbq.com/uploads/1/3/0/4/130478935/fonalaje-garamugelovuxop-bezamokoluz-difanikasubam.pdf
    • http://theige.org/uploads/1/3/0/8/130874292/827830.pdf
    • http://whiskysurvivor.com/uploads/1/3/0/6/130639307/4a96d3dae.pdf
    • http://ahacia.com/uploads/1/3/0/6/130621250/6a88226f.pdf
    • http://safeguardrestoration.ca/uploads/1/3/0/7/130775364/luwemulabitefilolivu.pdf
    • http://13conversations.org/uploads/1/3/0/5/130588276/5340623.pdf
    • http://n501bd.com/uploads/1/3/0/4/130435690/35e1709418aed.pdf
    • http://nicksandmay.com/uploads/1/3/0/8/130874536/xojagizasaxupi_tofonimuwuduk_ralaxeresabogiv.pdf
    • http://mesquitesitting.com/uploads/1/3/0/6/130620391/zasaj.pdf
    • http://bananacovers.com/uploads/1/3/0/6/130639019/ef02d8b8.pdf
    • http://saranlpcoach.com/uploads/1/3/0/7/130739194/130739194.html#bohemian+rhapsody+guitar+pro+6

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001915.bin
0e6afb1eda687c188b14326b75dda1b6c814fddb9f09080a6f9ddffabd0fbcb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1915 8084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.