Malicious PDF — malware analysis report

Static analysis result for SHA-256 398ec10022f263ab…

MALICIOUS

PDF

38.5 KB Authoring application: PDF Studio
MD5: bd0f352e0426e6a9ddf52a079e78f465 SHA-1: 41f036689423aa8eb8731d2b052b424784e05b22 SHA-256: 398ec10022f263ab32f60d4508a7e6880143369df1f37fb26c90f862a8243e3a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files on various domains. This technique is indicative of a link farm or SEO manipulation strategy, likely intended to distribute malicious content or drive traffic. The ClamAV detection and ML classifier strongly support a malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bloatedcarcass.com/uploads/1/3/0/6/130639100/2666766.pdf
    • http://rachelnurmiart.com/uploads/1/3/0/4/130489841/tosuniraril.pdf
    • http://surveyswipe.com/uploads/1/3/0/5/130544584/titepopude.pdf
    • http://mutethiajuniorschool.com/uploads/1/3/0/5/130543386/noxazolurido-fuwiz-gonojenagew.pdf
    • http://www.zaeligracefoundation.com/uploads/1/3/0/6/130604561/6709984.pdf
    • http://byzantinegreek.com/uploads/1/3/0/2/130270873/jevitep.pdf
    • http://www.gregmatsumoto.com/uploads/1/3/0/5/130589397/kaduvabovemad.pdf
    • http://mouseandcastle.ca/uploads/1/3/0/2/130270989/3b4ffe2af.pdf
    • http://luvofit.com/uploads/1/3/0/5/130550981/xudonanasiwas.pdf
    • http://hostmaster.thegemboutique.com/uploads/1/3/0/6/130639559/zobuzuzikewuvan_jogubinifa.pdf
    • http://tngeographicalliance.com/uploads/1/3/0/5/130550698/c13a128841.pdf
    • http://thetechhealer.com/uploads/1/3/0/7/130775878/7982533.pdf
    • http://sublimepainting.net/uploads/1/3/0/6/130621212/wemiravowu.pdf
    • http://houstonrealtorleads.com/uploads/1/3/0/2/130272575/2193030.pdf
    • http://buchanannutrition.com/uploads/1/3/0/6/130603941/8588329.pdf
    • http://butterflyacres.net/uploads/1/3/0/6/130639879/rasixedibefixu-gorisif-bujizosuwagel.pdf
    • http://ngsprephoops.com/uploads/1/3/0/5/130539115/a3229a64.pdf
    • http://danicagoward.com/uploads/1/3/0/7/130739994/dijorularozu-selijijozizizo-pukojejup.pdf
    • http://operationhavoc.com/uploads/1/3/0/5/130551639/zelemalidenamofosaxi.pdf
    • http://mcypaa41.com/uploads/1/3/0/4/130488888/rilijaviwosut.pdf
    • http://deadbikerssociety.com/uploads/1/3/0/7/130776130/be8d8.pdf
    • http://redpenapp.net/uploads/1/3/0/5/130546880/wawasikilasi-rogebivumod.pdf
    • http://strapongalleries.porncolection.com/uploads/1/3/0/7/130776809/5860846.pdf
    • http://geigersound.com/uploads/1/3/0/7/130740385/vosirevabu.pdf
    • http://murraywhiteley.com/uploads/1/3/0/5/130551364/130551364.html#kindle+2019+6+ereader+wifi+black+review

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000033a8.bin
7c39a3fc6e9e3c465fd40cf4a5bf1345d7f62c67d5a80e57df299001b63afbf3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x33A8 7676 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.