Malicious PDF — malware analysis report

Static analysis result for SHA-256 3c4f7ff40d73768e…

MALICIOUS

PDF

42.0 KB Authoring application: Solid Converter PDF
MD5: fc06a3a2bd654382b01ded7fd45d5bfd SHA-1: 032ca4cc63d58192f06330276ab24113fb2e82f0 SHA-256: 3c4f7ff40d73768ebf4e0fa92b62393c8f6fd61db7d3690d4d2948cabb3eb400
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links likely lead to phishing or malicious content, as suggested by the ML_NYX_PDF_MALICIOUS and ClamAV detections. The document body itself is largely unreadable due to truncation and encoding issues, but the presence of the link farm strongly suggests a phishing or redirection attack. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://seanaudleylaw.com/uploads/1/3/0/6/130620990/mififigoxa_xasiwuwik_kosetoruj.pdf
    • http://rondpetitpatapon.org/uploads/1/3/0/5/130589397/serudunukape.pdf
    • http://www.oakknob.com/uploads/1/3/0/7/130775294/7766226.pdf
    • http://sound-systems.net/uploads/1/3/0/2/130270798/sepexeni.pdf
    • http://dutchiesfreshmarket.com/uploads/1/3/0/7/130775840/8438468.pdf
    • http://analogelectronicsmt.com/uploads/1/3/0/2/130289457/81f5e65d157c.pdf
    • http://paradiseuganda.net/uploads/1/3/0/6/130620490/rexikoxidaw.pdf
    • http://spa139.com/uploads/1/3/0/7/130775441/6656401.pdf
    • http://drashcraft.com/uploads/1/3/0/2/130270869/b557a3e96d69c12.pdf
    • http://daycareinsanrafael.com/uploads/1/3/0/7/130738890/mamawo-gaduzituzile-kawen-tozezu.pdf
    • http://unicorninvestmentsgroup.com/uploads/1/3/0/7/130775431/a6ede3c5.pdf
    • http://desertscapelandscape.com/uploads/1/3/0/4/130476503/b36780e.pdf
    • http://griffithfitness.com/uploads/1/3/0/2/130272452/fepuboratosod-fakelivezoxobi.pdf
    • http://www.aahoa.online/uploads/1/3/0/5/130551782/f8c76924be1f4e7.pdf
    • http://groundswellfoundation.org/uploads/1/3/0/3/130323315/toruderawapire.pdf
    • http://sneaksneakgame.com/uploads/1/3/0/2/130289336/7101298.pdf
    • http://www.nortiaequities.com/uploads/1/3/0/4/130476744/binezu-julebenapexed-sojoseb.pdf
    • http://syedholdingsllc.com/uploads/1/3/0/6/130603807/kosimu_pafitevi_kowiwipituwivit.pdf
    • http://divinedesign.biz/uploads/1/3/0/4/130483285/716f6e47f010d3.pdf
    • http://thewicklowway.org/uploads/1/3/0/5/130588740/3076512.pdf
    • http://74-123-76-48.mgwnet.com/uploads/1/3/0/5/130551487/130551487.html#what+do+amorphous+and+crystalline+solids+have+in+common

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000449d.bin
78189c087158c101985083152afab838103d40061a76689d91c3bd3bec153b76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x449D 8240 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.