Malicious PDF — malware analysis report

Static analysis result for SHA-256 31b4621a16dabcc5…

MALICIOUS

PDF

44.6 KB Authoring application: Serif PagePlus
MD5: 0bde23107eac399da2436b88ba957591 SHA-1: 156088e08327178a7d8dbe6a11772dd4023ddf1f SHA-256: 31b4621a16dabcc583f9d7a1401b91d3323be44c52da30f1d3cabd85ff11a762
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. The primary indicator is the presence of a large number of embedded URLs, forming a link farm. This technique is often used for SEO manipulation or to redirect users to phishing or malware download sites. The embedded URLs suggest a phishing or content-luring attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shenyuanfan.com/uploads/1/3/0/6/130604423/rixiriboduwokuj.pdf
    • http://icloud-verification.com/uploads/1/3/0/2/130273610/1438215.pdf
    • http://businessclaimingservice.com/uploads/1/3/0/2/130289640/29d21.pdf
    • http://michellecortese.com/uploads/1/3/0/5/130540402/4132277.pdf
    • http://rajiraziju.financebinom.info/uploads/2020/01/28/cf723d77a.pdf
    • http://cruisencocktails.com/uploads/1/3/0/6/130620561/622c338f6.pdf
    • http://athletesunitedoregon.com/uploads/1/3/0/4/130488105/6219275.pdf
    • http://longspeakchog.org/uploads/1/3/0/2/130273798/zomatunovese.pdf
    • http://xemadi.sputnikbaikal.ru/uploads/2020/01/29/kuwobuzonoxufom_waxutop_lolukaz_valudetetoj.pdf
    • http://replenishmysoul.com/uploads/1/3/0/6/130605389/41c31.pdf
    • http://out-the-back-door.com/uploads/1/3/0/6/130620909/gabufitanamimul.pdf
    • http://lolojuxo.zip-darom.ru/uploads/2020/01/29/a59de02cf38d.pdf
    • http://montebellonotarypublic.com/uploads/1/3/0/6/130621404/d460b5c784.pdf
    • http://room212productions.com/uploads/1/3/0/6/130604955/kafolewapod.pdf
    • http://sokugid.cityglush14.icu/uploads/2020/01/28/mobagujemiz.pdf
    • http://holistichealingsd.com/uploads/1/3/0/4/130489803/siloxurivive-kewinutomitap-tafipezoture-bewumupoj.pdf
    • http://touchmile.com/uploads/1/3/0/5/130542769/130542769.html#kenting+national+park+travel+guide

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016fc.bin
a262bd9e647689d09716c8ea4285fc8f4e29eff2b3e3e6c657892c58d5433f1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16FC 9804 bytes
font_01_sfnt_off000069d0.bin
926934046978be40a7fabaf6f207f41799b1f567e56f46aae8aeef6c5a9730a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69D0 5836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.