Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c70f6d4484a0679…

MALICIOUS

PDF

37.4 KB Authoring application: Inkscape
MD5: c24b106271902993a06238e76f17d6d9 SHA-1: 214d223d85b87b10cb1b0110151f59988c22aa3a SHA-256: 2c70f6d4484a06794e3a3a47213bffd102f7bf0ddbbb2eb95b9d5cfee6ed43bc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains a large number of embedded URLs, identified as a link farm. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or SEO abuse. The document body, though truncated, mentions 'IELTS writing task' and 'success', suggesting a lure to external content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://richardsnashall.net/uploads/1/3/0/2/130291996/warar.pdf
    • http://milesoftinysmiles.com/uploads/1/3/0/3/130379232/futokolo.pdf
    • http://answersoperation.com/uploads/1/3/0/7/130775780/zidedelog.pdf
    • http://newsmint.net/uploads/1/3/0/4/130479044/zunalizotufebi_vipixe_dokijozilu_lubobogedalowu.pdf
    • http://buysanfordrealestate.com/uploads/1/3/0/4/130489418/1616735.pdf
    • http://koffienator.nl/uploads/1/3/0/2/130272853/lomelavedidalow.pdf
    • http://onlocationvacations.net/uploads/1/3/0/5/130539097/ea7f0d.pdf
    • http://artinicontest.com/uploads/1/3/0/6/130621015/5733600.pdf
    • http://iglesiamulticulturalwestside.com/uploads/1/3/0/4/130483178/kewagabewaka-tosewodaviwig-redal.pdf
    • http://nicol.live/uploads/1/3/0/7/130776585/xewokufibufaduvoki.pdf
    • http://pauldini.net/uploads/1/3/0/8/130813550/wexozi-palogizujebe-ruvusejuri.pdf
    • http://revops.org/uploads/1/3/0/6/130621240/fagojadolejolopifo.pdf
    • http://trollsock.com/uploads/1/3/0/2/130288909/1736a92b8a158e.pdf
    • http://caitlinmorrison.com/uploads/1/3/0/6/130603771/7371879.pdf
    • http://kindredmind.com/uploads/1/3/0/6/130604791/xabuv_lapenuwosewil_fuvirumavofid.pdf
    • http://thequestfilms.com/uploads/1/3/0/5/130543511/kokatapawafugip.pdf
    • http://getpolishedupwithamanda.com/uploads/1/3/0/3/130323765/4514655.pdf
    • http://oacmedicalspa.ca/uploads/1/3/0/4/130475996/6a58768830d.pdf
    • http://mytraining.today/uploads/1/3/0/4/130476004/kuvupif_busakofufumi_rugazobukere.pdf
    • http://musclesandmimosas.us/uploads/1/3/0/5/130589429/pawarudexusal_wanajomobepagi_faxamag.pdf
    • http://sunshinecoastcounselling.com/uploads/1/3/0/6/130620936/8332057.pdf
    • http://agcomllc.net/uploads/1/3/0/7/130739853/pabibu.pdf
    • http://www.westerndubuquefootball.com/uploads/1/3/0/5/130589083/fc6b581e78.pdf
    • http://host125.carmichaelnl.com/uploads/1/3/0/5/130550869/130550869.html#ielts+liz+writing+task
    • http://oacmedicalspa.ca/uploads/1/3/0/4/130

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002ef2.bin
6763c9708b0769c573fee29a3fb315775640025f59640c1052f7f488ceae1357		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2EF2 8056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.