Malicious PDF — malware analysis report

Static analysis result for SHA-256 41fae5c9ac62267a…

MALICIOUS

PDF

50.1 KB Authoring application: GIMP
MD5: a5ddf8454563cca18dbff04077b4079c SHA-1: ba1e23ad8ce3b9b95f74067d6b30be0a94478af9 SHA-256: 41fae5c9ac62267a7459bc8f38992d67fa84a8140bbae85f48074dfd0f178a01
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This suggests the document is part of a link farm or SEO manipulation scheme, potentially leading to malicious content hosted on the linked domains. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a malicious intent, likely related to traffic redirection or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kellypetsit.com/uploads/1/3/0/9/130969294/lojoxuvezalafife.pdf
    • http://greggmeierpainting.com/uploads/1/3/0/9/130969330/tozuj.pdf
    • http://www.rawindianhairs.com/uploads/1/3/0/7/130776490/6985567.pdf
    • http://dmmanagementconsulting.com/uploads/1/3/0/6/130620278/pigukabikatibi-diruwunirem-dibavevalok-kozajizo.pdf
    • http://nedcosummerblitz.com/uploads/1/3/0/4/130476628/zokasirawexos.pdf
    • http://ns.alzeen.com/uploads/1/3/0/6/130604801/31b1096102d0.pdf
    • http://odoroscenter.net/uploads/1/3/0/6/130604449/sewejoginulug-zamaneb-xusiloj-nuwefopijotimi.pdf
    • http://beeldschermverhuur.nl/uploads/1/3/0/8/130814382/roxoxubetiw-wexakugur-xilelaxil-jubemixibon.pdf
    • http://bigbreezelandscaping.com/uploads/1/3/0/5/130550796/jogogegexej.pdf
    • http://www.parentrecoverycoach.thechilitrail.com/uploads/1/3/0/3/130323329/biwaxaguxuvapep_zitajakil_lowidosurako.pdf
    • http://fbcwartburg.org/uploads/1/3/0/6/130605302/8005856.pdf
    • http://elevenoaksmobilehomepark.com/uploads/1/3/0/8/130814088/8b67f6ccd.pdf
    • http://kmradvisers.com/uploads/1/3/0/4/130483759/87ebe3e886f.pdf
    • http://felixvonreiswitz.com/uploads/1/3/0/8/130814058/239721.pdf
    • http://www.buriedlies.rpjandco.com/uploads/1/3/0/7/130775922/kowafox-letiti-foxuwuden.pdf
    • http://www.islaglow.com/uploads/1/3/0/9/130969298/6322896.pdf
    • http://lgbaonline.org/uploads/1/3/0/6/130639074/berimefowofi.pdf
    • http://upholsterysewingmachine.net/uploads/1/3/0/5/130542859/8950148.pdf
    • http://movedomaintonewaccttest.com/uploads/1/3/0/4/130476454/6558083.pdf
    • http://sbn.voyagerwebsites.com/uploads/1/3/0/5/130589374/130589374.html#socialismo+juridico+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000418c.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x418C 2652 bytes
font_01_sfnt_off00004a58.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A58 16036 bytes
font_02_sfnt_off0000620e.bin
add6017893a04205d0474ae6c1ee384c8b05742ada7056e0dfecf4b69a510870		 pdf-font-stream PDF embedded font (sfnt) at offset 0x620E 9920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.