Malicious PDF — malware analysis report

Static analysis result for SHA-256 517776b13770c142…

MALICIOUS

PDF

61.9 KB Authoring application: Smallpdf Desktop
MD5: c4b09df40506b97e5c3edd0c5423407c SHA-1: a09db095d0ff2bd876e2366964d8483a744ec371 SHA-256: 517776b13770c142048cf61874ea3b645601c4dc7ddfaf3394cbff80576de633
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically classified as phishing and traffic redirection. The document body, though partially obfuscated, contains references to external URLs, reinforcing the link-farming attack pattern. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://acreditleap.com/uploads/1/3/0/5/130539875/7c8f0be.pdf
    • http://thestorefrontgallery.com/uploads/1/3/0/4/130483577/48072331e9.pdf
    • http://newholland4wdtractor.com/uploads/1/3/0/6/130621464/e27248.pdf
    • http://mold-a-rama.net/uploads/1/3/0/5/130589244/f12a66fc18.pdf
    • http://piqiplay.com/uploads/1/3/0/3/130379627/12b1adc5e92c9c1.pdf
    • http://oliverapps.net/uploads/1/3/0/2/130272296/9f5bbac1d457.pdf
    • http://tahoegoogletours.com/uploads/1/3/0/6/130605416/3339525.pdf
    • http://pahasapagrotto.com/uploads/1/3/0/5/130589305/3579595.pdf
    • http://bcrtech.org/uploads/1/3/0/4/130435774/80fc8b.pdf
    • http://woodlandstuition.com/uploads/1/3/0/7/130775519/130775519.html#the+black+dagger+brotherhood+an+insider%27s+guide+vk

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001317.bin
ebe07e787e554a70816fa0422a31c7fa57297d663871c4ae9b8859d2a71a81bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1317 10316 bytes
font_01_sfnt_off00004a3c.bin
448c4d4550ed59c7e8e80b6d66b986666620351883d23913e38401b861762e5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A3C 16368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.