Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c097b2fa6a99f3f…

MALICIOUS

PDF

41.3 KB Authoring application: PDF Studio
MD5: d9e8191ecdccd34cfa1dbfeaf04781d2 SHA-1: e4321a50c488b7041efdf91300d229770538a242 SHA-256: 2c097b2fa6a99f3fb76089337cfa07ecdc92c37a457f58cc3db1591dda20a3a8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious phishing content. The primary indicator is a large number of embedded external links, suggesting a link farm designed to redirect users to potentially harmful sites. No scripts were extracted, and the document body was heavily obfuscated, preventing a deeper analysis of the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vatspeak.com/uploads/1/3/0/6/130621193/9839719.pdf
    • http://djsilentj.com/uploads/1/3/0/6/130603905/fcfe6af8d.pdf
    • http://mijnheerdegroot.nl/uploads/1/3/0/5/130588622/tebufivoma.pdf
    • http://peanutline.net/uploads/1/3/0/7/130775275/vegifala-xemifada-walotalazakomo-kifemajin.pdf
    • http://magentabackpack.net/uploads/1/3/0/5/130551597/loxonenigiga.pdf
    • http://caninecompanionkollege.com/uploads/1/3/0/4/130488105/wiliw_tepejoxokivixo_kufegune.pdf
    • http://getsomestones.com/uploads/1/3/0/7/130775983/bigojere-leligixiz.pdf
    • http://npsvs.com/uploads/1/3/0/6/130639481/38295bc947aa.pdf
    • http://sparksnewstoday.com/uploads/1/3/0/5/130539933/jigul_sozusifofa.pdf
    • http://ccocciboutique.com/uploads/1/3/0/8/130814337/4d14c302b7a7b.pdf
    • http://myprovidenceconstruction.com/uploads/1/3/0/6/130639251/povopuzemo-dudidijup.pdf
    • http://hmsyearbook.com/uploads/1/3/0/6/130620551/mewabifepilolu_guripexenunumel.pdf
    • http://my-minis.com/uploads/1/3/0/8/130874136/bea94e.pdf
    • http://farmtablecatering.ca/uploads/1/3/0/3/130379475/4301662.pdf
    • http://turkeyvilla.info/uploads/1/3/0/5/130547069/kolatelu.pdf
    • http://cluetopia.org/uploads/1/3/0/6/130603978/5c57d81af79.pdf
    • http://lmylife.net/uploads/1/3/0/8/130874139/6082987.pdf
    • http://mhi-hoa.com/uploads/1/3/0/6/130603900/pegodijojasovuxus.pdf
    • http://silvercloudvape.co.uk/uploads/1/3/0/3/130323884/mesudarim-sazevo.pdf
    • http://myecns.com/uploads/1/3/0/4/130483939/liguges.pdf
    • http://www.jcitaipei.org/uploads/1/3/0/5/130543941/130543941.html#nursing+care+plans+for+acute+respiratory+distress+syndrome+%28ards%29
    • http://silvercloudvape.co.u

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000041f8.bin
cafcd8823df9ca6f81d362af876d66b2ee552438e64a8b7eeb4fff2b97bf289a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x41F8 8032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.