Malicious PDF — malware analysis report

Static analysis result for SHA-256 522761303f67bc0b…

MALICIOUS

PDF

39.4 KB Authoring application: Smallpdf Desktop
MD5: c2fcb87c7faefdd5f942cf9199cde3d4 SHA-1: 9203021be791769c7259b713f69a7b6d5db196e9 SHA-256: 522761303f67bc0b9efb259046c58d24a4902f51bd112cdc8c583ff3fa7bf819
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, a common technique for SEO poisoning or directing users to malicious sites. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent, likely phishing or malware distribution. The embedded URLs point to domains that appear to be part of a link farm, suggesting a coordinated effort to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moltenpleasure.net/uploads/1/3/0/2/130287313/jisineso_pifuvizone_jixef_zaxuke.pdf
    • http://shamrockmaids.com/uploads/1/3/0/5/130590392/sezesojegamixep.pdf
    • http://vparliament.com/uploads/1/3/0/7/130740097/vofosetufozo-widebul-jolorurix-jotubukaretu.pdf
    • http://www.oceanbeachmv.com/uploads/1/3/0/4/130488578/483501efcb13647.pdf
    • http://gurzuf.taxi/uploads/1/3/0/2/130289760/guwebapilisidi.pdf
    • http://monthlytights.net/uploads/1/3/0/7/130738576/navamurogomal.pdf
    • http://www.aakphotos.net/uploads/1/3/0/6/130639518/xurexor.pdf
    • http://30-32royalstreet.com/uploads/1/3/0/6/130621664/7476860.pdf
    • http://wizardofov.org/uploads/1/3/0/7/130740112/kipunin_zikeruvuxaf_sonasonofuli.pdf
    • http://lolichs.com/uploads/1/3/0/6/130603838/4a64d7d92a15.pdf
    • http://moonlitdreamspublications.com/uploads/1/3/0/7/130738714/tekobig.pdf
    • http://nxtesports.com/uploads/1/3/0/5/130540280/1904661.pdf
    • http://chanabarriger.com/uploads/1/3/0/4/130483400/sivozukavesemina.pdf
    • http://jordanqualls.net/uploads/1/3/0/4/130436006/cc23e1.pdf
    • http://www.twosunsdoula.jomehndi.com/uploads/1/3/0/6/130639503/vogawesitu_dodazojuditukaf.pdf
    • http://truelig.co.za/uploads/1/3/0/7/130738650/lajewu-vaderowapi-woxuwumon.pdf
    • http://michellerosa.org/uploads/1/3/0/8/130813979/vefuka.pdf
    • http://www.kawanalmccloud.org/uploads/1/3/0/8/130813372/tometelu.pdf
    • http://rmwctrust.com/uploads/1/3/0/7/130739379/lexumodapanetol_sijekumubobafo_nixujutumimil.pdf
    • http://mrswoodworth.com/uploads/1/3/0/4/130483480/bisusakudurowoj-nuwidufajamu.pdf
    • http://rollenundskaten.de/uploads/1/3/0/7/130740340/xujaze.pdf
    • http://mci-ourhotelsportal.devsite-1.com/uploads/1/3/0/6/130621533/130621533.html#medicina+natural+para+eliminar+acido+urico

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000391a.bin
631dabf81eaf490df2f87d8822bc1df6e22009ff0e82b32cf1d545790158916e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x391A 8588 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.