Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a7d2aa25fee0d37…

MALICIOUS

PDF

45.6 KB Authoring application: Pdftk
MD5: 2290cc82914f7fa821da1b483dcd7a31 SHA-1: 23fe376806380a3e48a3a03ef6a570daa0a5a49c SHA-256: 5a7d2aa25fee0d37c73717a758f836166f4eccde39d9cb65b05b86e5deefc4e8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a malicious intent to manipulate search engine results or redirect users to potentially harmful content. The ML classifier and ClamAV detection further support its malicious nature. While no scripts were explicitly extracted, the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://alicornapothecary.com/uploads/1/3/0/3/130323693/7313048.pdf
    • http://myludingtontherapy.com/uploads/1/3/0/6/130620871/mubuvoxozufa_sikuxukamil_rexuxobomu_dudidomomuzefel.pdf
    • http://mjstead.com/uploads/1/3/0/4/130491488/107235c.pdf
    • http://xisibux.myflowshop.com/uploads/2020/01/28/zofopop.pdf
    • http://squaretaper.info/uploads/1/3/0/4/130477193/df0cc433a94.pdf
    • http://stjvschool.org/uploads/1/3/0/3/130312991/nufedilapat.pdf
    • https://jufofelafoguge.weebly.com/uploads/1/3/0/5/130588419/rikojifonoxufibizov.pdf
    • http://christineszinner.com/uploads/1/3/0/6/130639941/wovijugudujired.pdf
    • http://djspizza1.com/uploads/1/3/0/7/130775732/130775732.html#block+strike+ios
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012c9.bin
e4b891843dfbe66c1c7409e8e3d9023c01cd784cee9bea4dbc79c981f76b2298		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12C9 10808 bytes
font_01_sfnt_off000068b0.bin
aa272e264b634097466a21e3b70bbbe66e41095b4f5ff494e991c791dba5ffd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68B0 17412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.