Malicious PDF — malware analysis report

Static analysis result for SHA-256 3df26d91d73dd82f…

MALICIOUS

PDF

42.7 KB Authoring application: PDFedit
MD5: eb364d9de732d6463e448883d7b05bb1 SHA-1: 15bb15a3ed3f7b6b4fdbec71180e562d05bc8c94 SHA-256: 3df26d91d73dd82fb767565021a35952a330cb208fa353f2dd29798225f35a60
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs, forming a link farm. The document body uses a "congestive cardiac failure pdf download" lure to entice users to click on these links. The heuristic PDF_SEO_LINK_FARM specifically identifies this behavior, indicating a phishing or redirection campaign. The ML classifier and ClamAV detection further confirm the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.lyfeattap.com/uploads/1/3/0/3/130323298/wakejawe.pdf
    • http://drrosechildcentredcounselling.com/uploads/1/3/0/2/130289703/xopisov.pdf
    • http://mjyoga.net/uploads/1/3/0/7/130739789/4895810.pdf
    • http://nicknewmont.net/uploads/1/3/0/5/130590051/f63841.pdf
    • http://azaharaacelera.com/uploads/1/3/0/4/130476161/wolil.pdf
    • http://southviewkokomo.com/uploads/1/3/0/7/130776594/pidoxogobejajireki.pdf
    • http://pwrbit.net/uploads/1/3/0/8/130873784/buropuvovenol.pdf
    • http://museumeats.com/uploads/1/3/0/6/130621093/8478617.pdf
    • http://relash.us/uploads/1/3/0/5/130542968/dusipuramakot-kuduki-zolujibenu-jimaj.pdf
    • http://cloverfamily.net/uploads/1/3/0/5/130547624/nakuvoralejomo.pdf
    • http://danielrinaldi.com/uploads/1/3/0/7/130776058/f371a6bd6dbc.pdf
    • http://lusciouslucyplumpmmmjuicy.vip/uploads/1/3/0/9/130969702/83ea11d611.pdf
    • http://kingdomartisans.org/uploads/1/3/0/6/130620391/fozenu.pdf
    • http://rasakangas.eu/uploads/1/3/0/5/130541140/6f0ed20a3.pdf
    • http://gateway-of-light.org/uploads/1/3/0/7/130775277/232627.pdf
    • http://www.dalyancakes.com/uploads/1/3/0/2/130289772/getaponewajez-kinupuwa.pdf
    • http://saltcityvolleyball.com/uploads/1/3/0/6/130604778/8446948.pdf
    • http://ubs-taxfreelosses.com/uploads/1/3/0/2/130272619/7716892.pdf
    • http://lightisadrug.com/uploads/1/3/0/6/130639861/73b085e7406.pdf
    • http://coreducate.com/uploads/1/3/0/4/130490786/pupuluvave_lefum_giduwuvozuzop_zapuzemox.pdf
    • http://adsl-63-204-18-17.benefitplans.org/uploads/1/3/0/6/130620474/130620474.html#congestive+cardiac+failure+pdf+download

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000489a.bin
70941847380a9acd86aa0c1ec3ba41cb682a64e99de0140b3a7d017c1495b4d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x489A 7704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.