Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c683fa7b61480ac…

MALICIOUS

PDF

37.8 KB Authoring application: PDF Studio
MD5: a4c00b861325f985ff0021f1a1d39241 SHA-1: 7d4680b5348beea9e14967c108647bfabe724ae2 SHA-256: 5c683fa7b61480ac12e230c0154d0e10c63b7493e280eaeb76c19f9809905f9b
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, forming a link farm, which is a common technique for SEO poisoning or distributing malicious content. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests the document may also instruct users to open a password-protected archive, a tactic to bypass security scanners. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://buildsolutionz.com/uploads/1/3/0/5/130542934/6799766.pdf
    • http://mammaghent.com/uploads/1/3/0/7/130740026/50d86024157ed.pdf
    • http://samadenartgallerykentucky.com/uploads/1/3/0/6/130620490/5128594.pdf
    • http://witteconstruction.com/uploads/1/3/0/6/130640025/7836072.pdf
    • http://salomonk.com/uploads/1/3/0/3/130323896/2526388.pdf
    • http://bertangevaare.com/uploads/1/3/0/7/130775355/wesexuragu.pdf
    • http://moneymantra.net.in/uploads/1/3/0/4/130483805/299e05.pdf
    • http://velvetmazes.com/uploads/1/3/0/3/130323423/5d25be164.pdf
    • http://archivetradingcompany.com/uploads/1/3/0/7/130740437/4f7f88da1f3382.pdf
    • http://pinehill-in-the-catskills.com/uploads/1/3/0/6/130604315/kikabasixiz.pdf
    • http://www.safarifalls.com/uploads/1/3/0/4/130475959/4207993.pdf
    • http://pasolibre13.com/uploads/1/3/0/8/130874253/4291035.pdf
    • http://hendersonsboysgame.com/uploads/1/3/0/3/130313149/7637749.pdf
    • http://sistim.biz/uploads/1/3/0/5/130550777/a6adff92abc19.pdf
    • http://zephyrgarrison.com/uploads/1/3/0/4/130477131/3490043.pdf
    • http://cycleandcelebrate.co.nz/uploads/1/3/0/6/130605519/c2735c8.pdf
    • http://ncfse.com/uploads/1/3/0/6/130621149/8010571.pdf
    • http://www.inclinejobs.com/uploads/1/3/0/7/130775828/571d12.pdf
    • http://www.scienceassignment123.com/uploads/1/3/0/4/130488331/marudemixatez-fanev.pdf
    • http://lemonthardware.net/uploads/1/3/0/7/130739491/5949657.pdf
    • http://bcpbattlebox.com/uploads/1/3/0/3/130324351/wodurovulakijub.pdf
    • http://phillipphanproperty.com/uploads/1/3/0/8/130813992/02bbf23.pdf
    • http://holisticals.com/uploads/1/3/0/5/130538891/rageluv-mumezaluneset-luzuz-faroxofud.pdf
    • http://yyhia.salon225.com/uploads/1/3/0/8/130813834/130813834.html#cara+menyatukan+2+file+pdf+menjadi+1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003209.bin
4a1361f01c44314aff341659d0b0848e42b604f2b3fa139494213c99a56cfe4f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3209 7692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.