Malicious PDF — malware analysis report

Static analysis result for SHA-256 38d17ffe974ab197…

MALICIOUS

PDF

37.7 KB Authoring application: PDFBox
MD5: 35f883dbcd6291b8883ac62623615afe SHA-1: 373bd976b1c66a5a02c6d9a89ac88485ea0382d9 SHA-256: 38d17ffe974ab1972673a9ec3ac8b0c975174fcae0299e2358fde66497d40ecb
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

This PDF file was flagged by multiple heuristics as malicious, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection for phishing. The document contains a large number of embedded URLs pointing to external PDF files, suggesting a link farm or redirection mechanism. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the primary attack pattern appears to be SEO spam or phishing via a network of linked PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chimneycarepros.mobi/uploads/1/3/0/5/130541765/23d0e7ebf8b.pdf
    • http://muskegonapostolic.com/uploads/1/3/0/5/130540472/wobubo.pdf
    • http://betteraustintoday.com/uploads/1/3/0/7/130776801/23e6c644330d61.pdf
    • http://newperspectivemedical.com/uploads/1/3/0/7/130775940/963478818.pdf
    • http://wepalmthree.com/uploads/1/3/0/3/130313180/3762589.pdf
    • http://chhsports.com/uploads/1/3/0/4/130476276/5190043.pdf
    • http://amaliebrenner.com/uploads/1/3/0/3/130379251/c096582c1637fc.pdf
    • http://momof3xy.com/uploads/1/3/0/7/130739947/4095314.pdf
    • http://mikemythphotography.com/uploads/1/3/0/6/130620366/gisurutixa-lemawozudugoteg-dasibagapa-kowoxobonawite.pdf
    • http://moayas.com/uploads/1/3/0/6/130620916/8ad2965b2.pdf
    • http://descorbeth.com/uploads/1/3/0/2/130274349/gobezalosenuzit.pdf
    • http://cityonloc.com/uploads/1/3/0/2/130289498/wowatidewax-gipilum.pdf
    • http://zenlockyt.com/uploads/1/3/0/3/130379379/madopejiralefu_mikiwoxupul.pdf
    • http://brownsugarbabyllc.com/uploads/1/3/0/3/130323564/wewibisazu.pdf
    • http://bristlebear.com/uploads/1/3/0/5/130539871/d0307040d4a.pdf
    • http://www.ericggoodenjr.com/uploads/1/3/0/6/130620563/bebadugumonor-pazekuzuvewodu-wisudud-soxil.pdf
    • http://heidilavon2020calendar.shop/uploads/1/3/0/3/130324370/vifub.pdf
    • http://a1810123xstreamtravel.xsideas.com/uploads/1/3/0/5/130541745/130541745.html#cheat+gta+san+andreas+darah+kebal+ps2

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003713.bin
839f25a5e01fd7064c29ba0f08e589dfb9a26761600d53bc0b11b196bdeb426b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3713 7728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.