Malicious PDF — malware analysis report

Static analysis result for SHA-256 507c7db2d0cb7cfe…

MALICIOUS

PDF

39.4 KB Authoring application: Solid Converter PDF
MD5: 04ac23dbd74710960ec174ce591fde20 SHA-1: f8589312344cd59400354a559bed7fd96de877b6 SHA-256: 507c7db2d0cb7cfe08fbab9e57491f077a9ce3efa8cf03d0e979a9f7b5ee0c6a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains a large number of external links, identified as a 'link farm' by heuristics. The ML classifier and ClamAV detection strongly indicate malicious intent. The primary heuristic, PDF_SEO_LINK_FARM, points to a strategy of distributing many PDF files across various domains, likely to manipulate search engine results or serve as a distribution point for further malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://piinttheskyflorida.org/uploads/1/3/0/7/130739615/5203489.pdf
    • http://mrsbhatt.com/uploads/1/3/0/7/130776714/becc4b30e1.pdf
    • http://landscapedreaming.com/uploads/1/3/0/5/130550812/4223258.pdf
    • http://sessionninephotography.com/uploads/1/3/0/4/130476048/nelaxivubunemu_pirazebakakuto_bagefu_xutub.pdf
    • http://michiganlegalmalpracticequestions.com/uploads/1/3/0/7/130775712/9621251.pdf
    • http://sweep.work/uploads/1/3/0/4/130483753/lomanexojewel_safuxogigalume.pdf
    • http://brandgenius.com/uploads/1/3/0/2/130291371/gipupubaloduxi.pdf
    • http://mommaleahsgoods.com/uploads/1/3/0/7/130776747/nomimosidukuba-gapizanipo-zazeguzo.pdf
    • http://www.shop-self.com/uploads/1/3/0/6/130604230/jikoxivelojowagivem.pdf
    • http://blaqsharkskate.com/uploads/1/3/0/6/130603773/norul-xaxevitoxisagi-videmowaju-gobewono.pdf
    • http://mycyberphile.com/uploads/1/3/0/5/130551890/wokokefevufol_nozuzeruropi_rexejuwovefi.pdf
    • http://betterbuysretail.net/uploads/1/3/0/6/130640236/poriregam_maresokisod_resameda.pdf
    • http://clearorm.com/uploads/1/3/0/6/130604286/nixinabipavirakedeje.pdf
    • http://spendlingwimmer.com/uploads/1/3/0/5/130551554/vodagax.pdf
    • http://www.foodfighting.org/uploads/1/3/0/4/130435813/2995570.pdf
    • http://spesuvalde.com/uploads/1/3/0/8/130813961/85a59.pdf
    • http://sabco.org/uploads/1/3/0/5/130590653/tokavorov-refug-nelabisipimo-vuxizenuvotosuw.pdf
    • http://clickdowntoearth.com/uploads/1/3/0/6/130639885/jisoviv.pdf
    • http://kinsley-walker-p-1.rominastiebenphotography.com/uploads/1/3/0/7/130775126/130775126.html#alkaline+phosphatase+function+in+milk

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003be3.bin
9c5749e943ff3db0c8a4e484a2fe3c537f4771fac363afb00563e105d3216d26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3BE3 7928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.