Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a3c2b12bf46b73a…

MALICIOUS

PDF

51.2 KB Authoring application: Soda PDF
MD5: d48b796efb9bc654cf750d8402d09928 SHA-1: b70a7efaf68bd92742d3a6b4719889697ec7f5e7 SHA-256: 5a3c2b12bf46b73a8add277c5cc9057e2d214a53aac0076b9e81edcec11725ab
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic, which strongly suggests a phishing or redirection attempt. The ML classifier and ClamAV detection further support its malicious nature. The embedded URLs are likely used to host malicious content or lead to phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://biglifecc.com/uploads/1/3/0/2/130271184/salejaxilikofufu.pdf
    • http://theboutiquehilo.com/uploads/1/3/0/7/130775536/xuribejudikuze.pdf
    • http://frankjak.com/uploads/1/3/0/5/130590295/454310.pdf
    • http://ebdoproperties.com/uploads/1/3/0/5/130538986/7615e18.pdf
    • http://thejackedhipster.com/uploads/1/3/0/6/130603861/397132.pdf
    • http://hellowindowcleaning.com/uploads/1/3/0/7/130776032/3951388.pdf
    • http://www.pvanos.com/uploads/1/3/0/8/130873833/a48f4da162c8d04.pdf
    • http://michaelphelannotary.com/uploads/1/3/0/6/130604315/72f7240.pdf
    • http://evergreen-memorials.com/uploads/1/3/0/7/130776886/5157769.pdf
    • http://mysterclothingbrand.com/uploads/1/3/0/3/130313484/zirunakinutalo-rirulafodurajun-jigopotaludadas-dugularujomo.pdf
    • http://bossalaus.com/uploads/1/3/0/6/130604428/e4c6d6ae.pdf
    • http://www.plastiformpackaging.com/uploads/1/3/0/8/130874434/fozinuvawajarotipaz.pdf
    • http://dungeonplace.com/uploads/1/3/0/7/130776008/wewofaxoxo-bavipetuba.pdf
    • http://mta-sts.mail.indi-annachorus.com/uploads/1/3/0/6/130639951/jedunamer_wafarazelelobu_fegikogavibur.pdf
    • http://remnantsbarbersho.org/uploads/1/3/0/4/130476747/rubuxeze_vipadufegasu_wimug_dazebip.pdf
    • http://chimneycarepros.mobi/uploads/1/3/0/4/130478004/89308fc8.pdf
    • http://villamklima.com/uploads/1/3/0/8/130815115/8249739.pdf
    • http://neptuneinvesting.com/uploads/1/3/0/5/130539241/padareboluvafulawudu.pdf
    • http://leeyas.com/uploads/1/3/0/6/130604654/c0985b.pdf
    • http://mrworkman.ca/uploads/1/3/0/5/130550823/284e113cca9f.pdf
    • http://www.msbennettsclass.com/uploads/1/3/0/6/130639212/bcfdc71a04d.pdf
    • http://oneilhomegallery.com/uploads/1/3/0/2/130289428/luwudigu.pdf
    • http://y1fkf.slpny.com/uploads/1/3/0/4/130436014/130436014.html#ankle+support+achilles+tendon+injury

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010fe.bin
ac7df0df7717000bd50c06bbdf74da461d2304fd468a8ee10696b25a7a30c44d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10FE 8112 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.