Malicious PDF — malware analysis report

Static analysis result for SHA-256 40bc8e87e30c5d88…

MALICIOUS

PDF

52.1 KB Authoring application: PDFBox
MD5: 9f75730361d43bcbc68963c574db8231 SHA-1: daa550bffc5b49501e9b601c5fa900f4dda32109 SHA-256: 40bc8e87e30c5d888c8bbeebbcca0b965c8ddaa2029e1407254776c0ebe74ecc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic, pointing to various domains. The document body, though partially corrupted, mentions 'Class 11 biology ncert book pdf in hindi' and includes several URLs that appear to be lures for downloading PDF files. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a phishing or malicious download intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dgdiamondgalleria.com/uploads/1/3/0/6/130604782/8492731.pdf
    • http://thedevyngunshow.com/uploads/1/3/0/5/130590363/5708370.pdf
    • http://andrewcarlosarchitect.com/uploads/1/3/0/3/130323319/42be19f.pdf
    • http://cardinalparkequine.com/uploads/1/3/0/6/130604580/zojoxinev.pdf
    • http://nashobavalleyextractco.com/uploads/1/3/0/6/130621158/130621158.html#class+11+biology+ncert+book+pdf+in+hindi

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000fc6.bin
b79a3e7ef6d60ad144147b84e114f7a6de0cdc008a9145c2e5eecebedf70bc0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC6 7508 bytes
font_01_sfnt_off00006988.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6988 1388 bytes
font_02_sfnt_off00007316.bin
89d040f96c0101f4affab0ec8bf734f8ed57cf00125ff1f992f320d4613d9e73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7316 14732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.