Malicious PDF — malware analysis report

Static analysis result for SHA-256 5eb1841262f103c4…

MALICIOUS

PDF

36.2 KB Authoring application: Solid Converter PDF
MD5: 5f5407b7fc239913e79e40e6f64f0fed SHA-1: 3af95414994b6d77e83112f3b7f7e34a222b9425 SHA-256: 5eb1841262f103c4ac6cf84c09cb5fbfa635fe630f453b2887d7a135494c3828
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document is identified as malicious by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and a high-confidence ML classifier. The document body, disguised as an IELTS score calculator, contains a mass of external links pointing to other PDF files, indicating a link farm designed to distribute malicious content. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ianexplains.net/uploads/1/3/0/6/130620708/2694495.pdf
    • http://bobatree.site/uploads/1/3/0/6/130620367/fc6ffd4278c.pdf
    • http://buysellbell.com/uploads/1/3/0/5/130547078/mimorejafewiwope.pdf
    • http://plumluvfoods.com/uploads/1/3/0/5/130588802/gubekewuw-kunakedate-zuvexozavolovel.pdf
    • http://casaservicesfinanciers.com/uploads/1/3/0/4/130436402/59deacfc17bf.pdf
    • http://novelsf.com/uploads/1/3/0/4/130489331/2133496.pdf
    • http://gos.rurostelekomk.ru/uploads/2020/01/29/6007587.pdf
    • http://northeastflowershop.com/uploads/1/3/0/5/130588153/kapilevujajip.pdf
    • http://mhrandlenovels.com/uploads/1/3/0/5/130588337/130588337.html#ielts+listening+and+reading+score+calculator+british+council

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a5.bin
9b9a37f7f9ab9dbfabd8970c63dc012c1109cb213723e151715db33defcddc30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A5 7488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.