Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c68966c348016c7…

MALICIOUS

PDF

38.2 KB Authoring application: GIMP
MD5: fd6874db6aaa3b9a29d7a2f75cd46a42 SHA-1: 243bd492154248e92c82df4d3359bbb7ddfb110f SHA-256: 5c68966c348016c7c93629d07e42a2c0bf5698406ec1122a30ccac63a61d9f2a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded URLs pointing to other PDF files on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a link farm or distribution mechanism for malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://negocioscontra.com/uploads/1/3/0/5/130588343/moxafaxikiserew_girefodowe_medutugofodawo.pdf
    • http://rossconcretemasonry.com/uploads/1/3/0/7/130775522/zozesoxopinuw_xukazavefopi.pdf
    • http://nursingresourcesaz.com/uploads/1/3/0/6/130621245/punotujemasa.pdf
    • http://tomasharanphoto.com/uploads/1/3/0/4/130483527/5941354.pdf
    • http://trimstechnologies.com/uploads/1/3/0/7/130739557/pagexab-vunewuf-mikovewalunug.pdf
    • http://pokergrindermaster.com/uploads/1/3/0/3/130323453/546407.pdf
    • http://hostmaster.bridgehousesarc.org/uploads/1/3/0/2/130287866/91c0e29.pdf
    • http://bradandrod.com/uploads/1/3/0/6/130639114/6837199.pdf
    • http://www.elpinerorestaurant.com/uploads/1/3/0/5/130539763/aa011065ac3.pdf
    • http://noscopegaming.net/uploads/1/3/0/2/130288348/xezol.pdf
    • http://webmail.poppyavenueboutique.com/uploads/1/3/0/8/130873880/sopobajewe-nulud.pdf
    • http://fisherwear.com/uploads/1/3/0/4/130476760/wurogav.pdf
    • http://splashsteamboat.org/uploads/1/3/0/5/130543318/vixitisiri.pdf
    • http://thedadadvice.com/uploads/1/3/0/6/130620997/mixomixi.pdf
    • http://thewestnewtonpizzahouse.com/uploads/1/3/0/4/130488694/gusapematunelo.pdf
    • http://bethanymelendez.com/uploads/1/3/0/8/130873986/mefejidofeluro-gowevo-kezotugif.pdf
    • http://envisionsuperior.com/uploads/1/3/0/4/130488975/1c112a3fd52.pdf
    • http://millennialcruisers.com/uploads/1/3/0/4/130483809/vorebubevakejom-namaju.pdf
    • http://mltech.com.au/uploads/1/3/0/3/130379231/da787e.pdf
    • http://peanutgalleryphotography14.com/uploads/1/3/0/6/130604588/130604588.html#sentences+of+present+perfect+continuous+tense+in+urdu

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000036dd.bin
7346c6ec04a9481addcc18009051de804ba78c22fbdc5176c65ab4e0aca1d404		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36DD 7848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.