Malicious PDF — malware analysis report

Static analysis result for SHA-256 33f0dedb000fc274…

MALICIOUS

PDF

42.3 KB Authoring application: Serif PagePlus
MD5: 258799739b419559b3b5aff598c818e6 SHA-1: 5778a600cb2e1b9ffc8374528e641f77fec9d132 SHA-256: 33f0dedb000fc2740e1e88a35eccff18f87ad68527e69ad392cb389cd62c645f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or SEO poisoning attack. The ML_NYX_PDF_MALICIOUS and ClamAV detections confirm its malicious nature. While no scripts were extracted, the embedded URLs are the primary indicators of malicious activity, likely serving as lures or redirects.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://harveyclay.com/uploads/1/3/0/6/130639924/1263484.pdf
    • http://carrieebens.com/uploads/1/3/0/6/130621677/xifepixe_sipujewixuliguv_bupogolapiviti_timikotemumeg.pdf
    • http://colombiahumanrights.org/uploads/1/3/0/5/130546333/ab130d96b51ea.pdf
    • http://dapperevents.com.au/uploads/1/3/0/3/130323222/6d597d2.pdf
    • http://mrspiacentini.com/uploads/1/3/0/7/130775741/7702705.pdf
    • http://my-drink-list.com/uploads/1/3/0/6/130604944/4950003.pdf
    • http://summerfacedatshitfest.com/uploads/1/3/0/7/130776875/9575346.pdf
    • http://melaniegarunay.com/uploads/1/3/0/7/130740371/8ca30f4a5f9280.pdf
    • http://amusee.fr/uploads/1/3/0/4/130435985/wivitopomi.pdf
    • http://appraisestuff.com/uploads/1/3/0/6/130605182/tajinoni-mifuziwidafex-sodubavubesur.pdf
    • http://royalavenuemusic.com/uploads/1/3/0/7/130776734/7012581.pdf
    • http://htwitoart.com/uploads/1/3/0/7/130775522/718415.pdf
    • http://nawahte.com/uploads/1/3/0/6/130621135/fivigutex.pdf
    • http://practicalityplus.com/uploads/1/3/0/5/130589342/4920034.pdf
    • http://classicrockduo.com/uploads/1/3/0/5/130588973/xipewenukutikiliga.pdf
    • http://wangshangqipaiyouxizhuanqian.br3h.com/uploads/1/3/0/2/130287261/130287261.html#f+statistic+one+way+anova
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000028ca.bin
b080e6aa9682ff87567a230b404ab00780bafcfd3ba11e3f536b788ca6e08ef5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28CA 16060 bytes
font_01_sfnt_off00003d18.bin
8cab4f5fd6fa2873c006dc31a7c41ace11ad357af656a929441f9ba500e5820e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3D18 2996 bytes
font_02_sfnt_off00004a3a.bin
49430700a4ca32a97abb1ec6901ecdc24ec97b72088264b2515dc133e6d75232		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A3A 8012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.