Malicious PDF — malware analysis report

Static analysis result for SHA-256 37598fb03ceef30c…

MALICIOUS

PDF

45.9 KB Authoring application: Serif PagePlus
MD5: a9c5b669a19706980ee0b34d9414f79c SHA-1: 76cb4ab6750eb8973ae8c5a49a366e6f3643da2d SHA-256: 37598fb03ceef30c712b35d5137e1d66dbe7e235748767a111b06913dc7e5b3f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection for phishing. The document body contains numerous embedded URLs, all pointing to external PDF files hosted on various domains. This suggests a coordinated effort to distribute malicious links, likely for SEO manipulation or to redirect users to phishing or malware sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://c3industriesllc.com/uploads/1/3/0/4/130490421/8127937.pdf
    • http://messagesfromthedivine.org/uploads/1/3/0/6/130640051/9338954.pdf
    • http://sonsetministries.com/uploads/1/3/0/6/130621709/1945842.pdf
    • http://bodhimassagedarwin.com/uploads/1/3/0/6/130640066/fomisajo_begorinore_lifaxas_tewali.pdf
    • http://mentesconscientes.org/uploads/1/3/0/2/130289393/lejipobowupifav-talidozulite-wunenegi-mukolodoveru.pdf
    • http://sup.pcod.store/uploads/2020/01/28/7196e3f56b.pdf
    • http://minitechmachinery.com/uploads/1/3/0/6/130639054/738886884da8a.pdf
    • http://nplfiles.com/uploads/1/3/0/2/130272363/dulilimerov_xameloje_xudiwewow_namabakene.pdf
    • http://meshayla.com/uploads/1/3/0/5/130550663/130550663.html#cara++bully+size+kecil

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000125a.bin
f2778c08a61b641e32a01c2e1e5933e308bd11373fdd04f204498b9f186b5068		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125A 9128 bytes
font_01_sfnt_off00006d03.bin
5f95318943fcfbd77322bbb5cad315370152876080c91ba93f69ac7a8b13a41a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D03 16208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.