Malicious PDF — malware analysis report

Static analysis result for SHA-256 4db383e7ad5bac28…

MALICIOUS

PDF

46.2 KB Authoring application: Poppler-utils
MD5: 7cc47cbc7b0a6d590e1e3852990d9165 SHA-1: cf11684e1175f84c7bfff5c6e0661b9c294bff45 SHA-256: 4db383e7ad5bac28ad0d32e7e9fccd50c0243d5d6432f91226bd66136fada4c6
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample was identified as malicious by ClamAV and an ML classifier, and it contains a large number of embedded URLs pointing to external PDF files. The PDF_SEO_LINK_FARM heuristic indicates these links are likely part of a link farm, suggesting the primary purpose is SEO manipulation or to serve as a distribution point for other malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jifanefol.weebly.com/uploads/1/3/0/3/130379347/5930483.pdf
    • https://sakefozam.weebly.com/uploads/1/3/0/2/130291555/7875612.pdf
    • https://retunuvoso.weebly.com/uploads/1/3/0/4/130483142/255639.pdf
    • https://zupalejodole.weebly.com/uploads/1/3/0/4/130436451/ruwaxerunosoxawijut.pdf
    • https://balasebanuwo.weebly.com/uploads/1/3/0/3/130323568/90e63a81e8f52.pdf
    • https://kegukizorulexix.weebly.com/uploads/1/3/0/4/130476733/wubufejupiz.pdf
    • https://rotejuju.weebly.com/uploads/1/3/0/3/130312916/daxufox.pdf
    • https://lokuxumuvado.weebly.com/uploads/1/3/0/2/130288924/9248478.pdf
    • https://gusinutisotiguz.weebly.com/uploads/1/3/0/3/130323422/1126130.pdf
    • https://lezodira.weebly.com/uploads/1/3/0/2/130287426/5323124.pdf
    • https://barumixa.weebly.com/uploads/1/3/0/3/130313075/wazigijow.pdf
    • https://rusivabi.weebly.com/uploads/1/3/0/3/130313700/nomugadisopome.pdf
    • https://zemozujabuwixux.weebly.com/uploads/1/3/0/4/130476035/dakoget_rawig_pabifol_wapoxuba.pdf
    • https://lavupubekuwi.weebly.com/uploads/1/3/0/2/130289177/5807686.pdf
    • https://fibutigojojox.weebly.com/uploads/1/3/0/2/130289611/56d78a77761b84.pdf
    • https://vunefakob.weebly.com/uploads/1/3/0/2/130273617/843cd.pdf
    • https://nijuguzon.weebly.com/uploads/1/3/0/4/130478566/8557551.pdf
    • https://zofaxodazidol.weebly.com/uploads/1/3/0/3/130323599/130323599.html#bartholin+cyst+surgical+drainage

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001407.bin
d8637e6f43aaa18950f170a6214307a3dc9356caf6f9bb86194bd2dadc4f5a3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1407 7696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.