Malicious PDF — malware analysis report

Static analysis result for SHA-256 60f2ab69c823b7ba…

MALICIOUS

PDF

40.4 KB Authoring application: ImageMagick
MD5: 5c2717a884315d2c4a8560a38ca3a953 SHA-1: 6ebcc85706c12e748719c8942fcbed73cd9ffbea SHA-256: 60f2ab69c823b7ba17f618499cd6017e2f052022a85138712bee33391a493262
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This pattern is indicative of a link farm or a distribution mechanism for further malicious content. The ML classifier and ClamAV detection strongly suggest malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://microfinanceprofessionals.net/uploads/1/3/0/8/130814338/3022087.pdf
    • http://drfranklinlevin.com/uploads/1/3/0/6/130640102/9808085.pdf
    • http://1694woodglen.com/uploads/1/3/0/6/130604973/7363228.pdf
    • http://kamconsulting.fr/uploads/1/3/0/5/130539990/fulavapujab.pdf
    • http://aboutyogaclasses.com/uploads/1/3/0/5/130588349/vupavav.pdf
    • http://brownwoodnews.org/uploads/1/3/0/4/130483413/0a013a07c18d20.pdf
    • http://tablechurch.org/uploads/1/3/0/8/130874016/buzasebu_pegabazikosim.pdf
    • http://invrnc.net/uploads/1/3/0/2/130289645/856970.pdf
    • http://jameswallach.net/uploads/1/3/0/4/130435998/5212419.pdf
    • http://shop.lilliemaechocolates.com/uploads/1/3/0/5/130589165/785018.pdf
    • http://contributingtominers.com/uploads/1/3/0/4/130435966/juzitexidajo.pdf
    • http://coreygarciawoodwork.com/uploads/1/3/0/6/130604589/fimes.pdf
    • http://assetrecoverynetwork.org/uploads/1/3/0/6/130603852/wolorazix-vobezokodijavo.pdf
    • http://www.ellen.services/uploads/1/3/0/7/130775610/ba880744bd90c9.pdf
    • http://artintimidatinglife.com/uploads/1/3/0/8/130813132/waxazonefitidupim.pdf
    • http://webmail.sinestesiacorp.com/uploads/1/3/0/4/130435959/6193971.pdf
    • http://autidiscover.clear-heater.co.uk/uploads/1/3/0/4/130476207/190d96add048.pdf
    • http://macysmusic.com/uploads/1/3/0/7/130776486/zovunozenumolub.pdf
    • http://www.dudevault.com/uploads/1/3/0/7/130776393/pukamimir_xuzobasidolumef.pdf
    • http://naturalperformancerehab.com/uploads/1/3/0/5/130588894/lonimisad.pdf
    • http://veterinariagiada.com/uploads/1/3/0/2/130288359/tizure.pdf
    • http://vayonnaise.com/uploads/1/3/0/7/130740480/lagarejuzime-ruvadavu-wilujexelovomo-fekivij.pdf
    • http://host97.carmichaelnl.com/uploads/1/3/0/9/130969684/130969684.html#main+abiotic+factor+in+freshwater+biome

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003c10.bin
170ba424b6ec68a9adb59b3c0275442a51c016b6bf522ea310525b3e90f2ab0c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C10 8032 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.