Malicious PDF — malware analysis report

Static analysis result for SHA-256 58aac3844e30b380…

MALICIOUS

PDF

42.8 KB Authoring application: SWFTools
MD5: d4f30b2c223917e21fa8a8206ed35609 SHA-1: d32667ae831de95ede8f186d75f8e1f4a0a51318 SHA-256: 58aac3844e30b38084ed8d5c34da09c7848afd834f8af04d67a23bf95443071e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, a technique commonly used for SEO poisoning or phishing campaigns. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs point to a network of similarly structured PDF files, suggesting a coordinated effort to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cakenetwork.us/uploads/1/3/0/5/130588269/pigok.pdf
    • http://www.blackcanyonpet.com/uploads/1/3/0/7/130739007/juminexidepoweg.pdf
    • http://savannahlynnrogers.com/uploads/1/3/0/4/130489434/pojakuropulen_fezafapukimor_jenuriz_kowijuw.pdf
    • http://www.gbwbathbrushes.com/uploads/1/3/0/4/130488096/2205153.pdf
    • http://www.gpcitizensacademy.com/uploads/1/3/0/4/130479008/6458743f36b824a.pdf
    • http://marshalinehan.com/uploads/1/3/0/6/130604951/garevaganir.pdf
    • http://christinetschida.com/uploads/1/3/0/6/130620653/e607b29.pdf
    • http://www.susaninwonderland.com/uploads/1/3/0/6/130603835/kokenevafane_dogufuva_fidemaj_rapotuba.pdf
    • http://ecceko.net/uploads/1/3/0/3/130379503/suzezoso_debanalep_nosef.pdf
    • http://bejustalittlebetter.com/uploads/1/3/0/6/130605384/ccc6fc4876244.pdf
    • http://automotivepartsgroup.net/uploads/1/3/0/7/130740000/9206424.pdf
    • http://youthcount2019.info/uploads/1/3/0/4/130435741/juterapapimor.pdf
    • http://thepaleocaveman.com/uploads/1/3/0/6/130621210/b3c529c.pdf
    • http://nekimastrategy.net/uploads/1/3/0/5/130547515/wivurabazalex.pdf
    • http://julievousaccompagne.fr/uploads/1/3/0/4/130483239/130483239.html#acceleration+due+to+gravity+lab+errors

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003367.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3367 16036 bytes
font_01_sfnt_off00004b07.bin
ed6a39a32509ce3d1703dbfd4c0f65d25c92b4be8e4893350100b70e92f16914		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4B07 8844 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.