Malicious PDF — malware analysis report

Static analysis result for SHA-256 4213ebc86fb4a3eb…

MALICIOUS

PDF

52.0 KB Authoring application: QPDF
MD5: 9b6138dc6552f2528cbd187a329be096 SHA-1: 4f791ca156c078220842300d2a342271edf958ab SHA-256: 4213ebc86fb4a3ebdb7fe25cf431126b69ed7d9ef729026bba01a4a418ab4b2e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a link farm, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests the document is designed to redirect users to multiple external PDF files hosted on various domains. The ML classifier and ClamAV detection further support its malicious nature, classifying it as phishing-related malware. The embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://needacable.com/uploads/1/3/0/3/130323377/5db91cc2c.pdf
    • http://morphmylogo.com/uploads/1/3/0/6/130620945/xozobotonutej_vetomar_tamurupeg.pdf
    • http://tamingbigfootseattle.org/uploads/1/3/0/5/130589178/4ea51.pdf
    • http://beyondhillco.com/uploads/1/3/0/6/130604307/130604307.html#las+bases+nitrogenadas+propias+del+adn

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000105c.bin
b817f21f43d3d575184fe7b1fc7ed491f3ef78748ad83b6e35bf6aef9fb807b2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105C 9820 bytes
font_01_sfnt_off00007c07.bin
f304d5248de4d2d535e11e5a3f00133999c598ccb7ee943f2677ab784214679d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C07 16208 bytes
font_02_sfnt_off000090f1.bin
ef56800321575c4cdac6f1c4af3b8199871638fd5d219ef2441f058b682d8814		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90F1 2708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.