Malicious PDF — malware analysis report

Static analysis result for SHA-256 4030e84512e8a751…

MALICIOUS

PDF

48.7 KB Authoring application: Mobipocket Creator
MD5: ef28690865b6e9fed73b287cc638f6ef SHA-1: f6591bbb5cdd0902ab62067cfd85afc734fac1e4 SHA-256: 4030e84512e8a751e03d77c193a8704401b56811e3860a669feb186086ac0d49
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files hosted on various domains, indicating a link farm or redirection strategy. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution. No scripts were extracted, and the document body content is largely unreadable, but the heuristic firings clearly point to a malicious link-based attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lightscameracreate.com/uploads/1/3/0/6/130621447/b41d018250.pdf
    • http://stryienska.com/uploads/1/3/0/7/130739068/toxuleminegoboguvov.pdf
    • http://crowdbrain.com/uploads/1/3/0/6/130639052/jirivarujesibem-perega-xerejux.pdf
    • http://mta-sts.surfviewdna.com/uploads/1/3/0/7/130775309/kuvure.pdf
    • http://estudio-uno.com/uploads/1/3/0/3/130313087/maxasitodugazufogi.pdf
    • http://niamaacartistry.info/uploads/1/3/0/7/130774982/5035175.pdf
    • http://wkrherefords.com/uploads/1/3/0/6/130639849/faruxinusinafuluvu.pdf
    • http://www.procine.co/uploads/1/3/0/3/130323184/e19d5a.pdf
    • http://moheal-moringa.com/uploads/1/3/0/6/130640091/mozixewobo_xubivugarezi_tatexipox.pdf
    • http://fusiononlineservices.com/uploads/1/3/0/3/130379183/b2f4e4.pdf
    • http://mail.lymphlight.com/uploads/1/3/0/6/130621310/3640707.pdf
    • http://www.lchcs.com/uploads/1/3/0/2/130289690/pofuro.pdf
    • http://yx4db.rhsdb.com/uploads/1/3/0/5/130589313/3191379.pdf
    • http://redskinscheerleaderalumni.com/uploads/1/3/0/5/130588343/3905749.pdf
    • http://mysmartinspection.com/uploads/1/3/0/6/130621293/88ffe57396ae.pdf
    • http://www.g2-serve.com/uploads/1/3/0/4/130488395/gefadaxudut-tidelif-pipopidifusa.pdf
    • http://coldwatercollections.com/uploads/1/3/0/7/130775865/naxenuruzikinej-wosumiladuditi-jatasipikid.pdf
    • http://chivoremerald.org/uploads/1/3/0/7/130776747/6052056.pdf
    • http://efrold4.brdge.org/uploads/1/3/0/2/130288317/130288317.html#advanced+reading+exercises+for+esl+students

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000053dc.bin
83d89f79375f7f339e88070a8779324ce221c94923bff415e388e162fbc46cfe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53DC 2604 bytes
font_01_sfnt_off00005fc2.bin
8697cc09be762139231883eea6327666cf93cdc5b55593bb5dce9c64ce6e71df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FC2 8480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.