Malicious PDF — malware analysis report

Static analysis result for SHA-256 3438b9beea7469f2…

MALICIOUS

PDF

37.9 KB Authoring application: Poppler-utils
MD5: b87052187a1361e770d681e78ea0be28 SHA-1: 9b4e32fc6e19c5ed7069bdfea4ccd2f843a18b0d SHA-256: 3438b9beea7469f2fc1ffb0bb9aa987dfc2f8bf686d7c7a947cab1306f8d19ce
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to other PDF files, a technique often used for SEO poisoning or to redirect users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. The document body, though partially corrupted, contains URLs that are part of this link farm, suggesting the primary purpose is to lure users to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mirkamalmi.com/uploads/1/3/0/5/130546209/jefejijipiwakuzum.pdf
    • http://howelltohealawound.com/uploads/1/3/0/5/130542894/7634380.pdf
    • http://mx.oregoneqc.com/uploads/1/3/0/7/130776338/wasajejip_gamurefokefa.pdf
    • http://marriagepriority.com/uploads/1/3/0/7/130775196/gerabegogevori-potofoxup-tavasorujuzuvap.pdf
    • http://smartgridman.com/uploads/1/3/0/4/130435624/felekorononipilateta.pdf
    • http://neverrunoutofthingstosay.com/uploads/1/3/0/5/130551325/zimikutulozobaf.pdf
    • http://nycmarket.net/uploads/1/3/0/8/130814176/buramapepegoza.pdf
    • http://jacksonholeskipackages.net/uploads/1/3/0/5/130550742/rujixugatesovirisunu.pdf
    • http://www.paulhayward.org.uk/uploads/1/3/0/2/130289431/buvabodugiko-tosesewuxejut.pdf
    • http://www.a4-as.com/uploads/1/3/0/4/130493816/tuwiron-modinevuga-xiwiro.pdf
    • http://www.leilaandersson.com/uploads/1/3/0/4/130475881/xulaj_zapopor.pdf
    • http://blackoutforhumanrights.com/uploads/1/3/0/6/130639244/magozafuromutozevak.pdf
    • http://pungentoder.com/uploads/1/3/0/5/130539427/fdd63bb706ce.pdf
    • http://s-p-q.org/uploads/1/3/0/7/130739652/funojagibabefaladif.pdf
    • http://www.paulapoundstone.org/uploads/1/3/0/8/130813428/medadofe-munimat-vikedigeveluvi.pdf
    • http://www.kyletackitt.com/uploads/1/3/0/7/130776388/bafevulijexesuwuloj.pdf
    • http://host23.carmichaelnl.com/uploads/1/3/0/4/130490461/130490461.html#convertire+file+dwg+in+pdf+gratis

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003832.bin
239329fb89f1b7a9a9ef4556c16712bec7b3ea0d3b4ab75bb412f0976a5f7179		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3832 8436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.