Malicious PDF — malware analysis report

Static analysis result for SHA-256 51a26f4271d6646a…

MALICIOUS

PDF

35.2 KB Authoring application: Poppler-utils
MD5: 0afe4bc6e9f294c40707978eea8db724 SHA-1: 541db857b72a26601156f2b6dfcb786bd98d2d6a SHA-256: 51a26f4271d6646ac0105fd85528c02f405451c5814ccfc07690ce0f921425df
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute malware. The ClamAV detection and ML classifier strongly indicate malicious intent. The heuristic 'PDF_SEO_LINK_FARM' confirms the presence of a link farm, suggesting the primary goal is to drive traffic to these external resources, which may host further malicious payloads or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://neighbors4christ.org/uploads/1/3/0/2/130272403/kutuvadu.pdf
    • http://lackfocus.net/uploads/1/3/0/4/130483418/189cf.pdf
    • http://seungsahn.com/uploads/1/3/0/6/130620391/vikux.pdf
    • http://theprojectretail.net/uploads/1/3/0/6/130603767/nudagalatefirapet.pdf
    • http://khushalishah.net/uploads/1/3/0/8/130874395/bubus-biremasukis.pdf
    • http://artclassdallas.com/uploads/1/3/0/5/130590508/jijobomide-lurigawalosum.pdf
    • http://festivalscreener.com/uploads/1/3/0/5/130588515/4ffff.pdf
    • http://howtosoul.com/uploads/1/3/0/2/130272930/d6f7793bd1.pdf
    • http://libertyinstallations.online/uploads/1/3/0/6/130604537/7ad9947c7559.pdf
    • http://mymobilephysio.com/uploads/1/3/0/4/130476548/9593723.pdf
    • http://goldbearcreative.com/uploads/1/3/0/6/130605368/bereliwasu_pibukujomokav_gimovug_lasopo.pdf
    • http://villagearch.com/uploads/1/3/0/4/130489499/jizemawakeguz.pdf
    • http://formerfdainspectors.com/uploads/1/3/0/5/130540823/beges.pdf
    • http://dancingarrowresources.com/uploads/1/3/0/6/130640042/lobefezuriji-zepafa.pdf
    • http://morganrv.com/uploads/1/3/0/3/130379430/kenuk.pdf
    • http://choreographerconsulting.com/uploads/1/3/0/7/130775288/xivutuv_goxusexi_kalumimubakeja.pdf
    • http://sahaja-yoga.biz/uploads/1/3/0/3/130323585/musunex.pdf
    • http://drivebeehive.com/uploads/1/3/0/2/130273623/pedosaxima-fekojexebunufa-fuxudagexufem.pdf
    • http://webmail.carmichaelnl.com/uploads/1/3/0/4/130476215/130476215.html#right+thigh+muscle+pain+icd+10

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002dc8.bin
bfb795ff0bf8318feb4b3326cb8baf76c182e804f97cfd5c4b2a7a7059c73545		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2DC8 7180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.