Malicious PDF — malware analysis report

Static analysis result for SHA-256 3fd0f768453abfd2…

MALICIOUS

PDF

43.5 KB Authoring application: Serif PagePlus
MD5: a686238c473f824b3b185f0093cae986 SHA-1: c1109392ff60b26e82d51336122c43a0342154b9 SHA-256: 3fd0f768453abfd29f3007c89e6644049a4430ef41c5365cfa68c9553b97cf18
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical finding for a 'PDF_SEO_LINK_FARM' and a high ML score, indicating malicious intent. ClamAV also detected it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The file contains a large number of embedded URLs pointing to other PDF documents across various domains. This suggests a phishing or SEO-based lure campaign designed to redirect users to potentially malicious content or manipulate search engine rankings.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://handinote.com/uploads/1/3/0/6/130604413/156580.pdf
    • http://webmaster.windskulpturen.com/uploads/1/3/0/5/130590671/ziwojumisejew-gopesoviti-pixananas-gonem.pdf
    • http://duke-consult.com/uploads/1/3/0/7/130776629/2057171.pdf
    • http://cloud9drone.com/uploads/1/3/0/6/130621552/nimukoramuna-wabegu-ravesalejomunu-wemoligibon.pdf
    • http://bearfruitsbaskets.com/uploads/1/3/0/7/130775734/rujoxaruzezope.pdf
    • http://johngeneralconstruction.com/uploads/1/3/0/7/130739502/detom_fajetulatilega.pdf
    • http://thegameadministration.org/uploads/1/3/0/3/130379251/mamoze-zifobegez-ganizor.pdf
    • http://tattnall4h.org/uploads/1/3/0/6/130622025/givasegedebin.pdf
    • http://cherylberyl.com/uploads/1/3/0/4/130476733/vusazo.pdf
    • http://www.racquetballtim.com/uploads/1/3/0/5/130589064/wagolefap.pdf
    • http://abettertravelagency.com/uploads/1/3/0/7/130739037/senebevokeguw.pdf
    • http://exactowash.com/uploads/1/3/0/4/130435596/0fb3ae5d.pdf
    • http://caregiverscontact.com/uploads/1/3/0/7/130739618/7676046.pdf
    • http://houseofmapa.com/uploads/1/3/0/9/130969052/dewazawexapibi.pdf
    • http://kookiescoop.com/uploads/1/3/0/2/130288386/2587957.pdf
    • http://mikhaelbassilli.com/uploads/1/3/0/4/130483617/tajaberitades-xireboru-denoxunoped.pdf
    • http://nhsaturdays.com/uploads/1/3/0/4/130483200/pipireromipoze_bupawipu.pdf
    • http://mychinesesecret.com/uploads/1/3/0/6/130621240/kuxotovogi.pdf
    • http://supplyx2.com/uploads/1/3/0/5/130551882/111032.pdf
    • http://threedeetwodee.com/uploads/1/3/0/5/130589163/mitonepowezizijizor.pdf
    • http://audiofidelity.no/uploads/1/3/0/4/130488694/130488694.html#placenta+accreta+%E0%B8%84%E0%B8%B7%E0%B8%AD+pdf
    • http://johngeneralconst

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004ac2.bin
eb60c8ba2016e2b2d279823c9149a480a98082007f4beabb0b741eeb3768d68e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AC2 7868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.