Malicious PDF — malware analysis report

Static analysis result for SHA-256 49803e46d1326bf5…

MALICIOUS

PDF

36.0 KB Authoring application: SWFTools
MD5: c2e6f0c06e890e437f32de31cc160644 SHA-1: 45d0e48efa4f705a7c1842e74db174fafac17d4e SHA-256: 49803e46d1326bf57d49b2187ebf56bff37585f65d9b3b9ef948fd175f5894ba
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic and ClamAV detection. The ML classifier also strongly flagged this PDF as malicious. The primary intent appears to be directing users to external resources, potentially for SEO manipulation or to serve additional malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://casadeplaya.org/uploads/1/3/0/5/130550944/490067.pdf
    • http://hostmaster.nottinghammassage.com/uploads/1/3/0/9/130969368/mabedo.pdf
    • http://psychologytoday.blog/uploads/1/3/0/2/130270893/6b61ffa95a.pdf
    • http://abmaquiladora.com/uploads/1/3/0/5/130590432/soseg.pdf
    • http://eandmclub.com/uploads/1/3/0/4/130436147/9656444.pdf
    • http://www.rhythmknitsyarn.com/uploads/1/3/0/7/130739552/8041623.pdf
    • http://www.salvationhouse.ru/uploads/1/3/0/6/130603896/c4213c.pdf
    • http://southeastlocksupply.com/uploads/1/3/0/6/130639115/boripavozanor.pdf
    • http://www.remodeldenvergroup.com/uploads/1/3/0/5/130551271/tejokakere-pitaxo-zupipelip.pdf
    • http://www.doorado.net/uploads/1/3/0/6/130620207/1582921.pdf
    • http://www.robinrotenier.com/uploads/1/3/0/7/130739316/6108464.pdf
    • http://andreaortega.com/uploads/1/3/0/5/130589238/7518586.pdf
    • http://schreckdevelopment.com/uploads/1/3/0/8/130874666/bufapipozid.pdf
    • http://mihiomanus.com/uploads/1/3/0/5/130589400/furitetum.pdf
    • http://www.stewartstreetbc.com/uploads/1/3/0/5/130590233/lozujulaf_getavoletiwas_kemedivafagir_bokapizo.pdf
    • http://signarama-sea.com/uploads/1/3/0/5/130590661/6155237.pdf
    • http://rl3.es/uploads/1/3/0/7/130776042/wizoniwutojol.pdf
    • http://www.kyrstinkempf.com/uploads/1/3/0/6/130604251/jenupogez-velosowonezil.pdf
    • http://vvtart.com/uploads/1/3/0/6/130621354/5048787.pdf
    • http://ashleighvaillancourt-winebrenner.com/uploads/1/3/0/5/130588346/6186224.pdf
    • http://andersonliteracystrategies.com/uploads/1/3/0/5/130551611/2212495.pdf
    • http://nhatrangpartytown.com/uploads/1/3/0/6/130620836/9387092.pdf
    • http://ilovefatjacks.com/uploads/1/3/0/6/130622042/musoga-juwexogejo-kiluburaros.pdf
    • http://nuobeijing.devsite-1.com/uploads/1/3/0/6/130604361/130604361.html#adobe+reader+decrease+file+size

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c80.bin
47198323093b0d18b7c3af0617c239f0e6826e543c1ba082d00fe89d0602695c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C80 7140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.