Malicious PDF — malware analysis report

Static analysis result for SHA-256 621d87e6111a5da9…

MALICIOUS

PDF

35.0 KB Authoring application: Nitro PDF
MD5: 0b9e47d1af67376f35ce83af298db063 SHA-1: 5af5c259ac625cfecd2e572a648088b8fab7670f SHA-256: 621d87e6111a5da917f11cff79f1e0db86ef58ee92db44d55c58b7f3ebecd2ee
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links to external PDF files hosted on various domains, indicative of a link farm or SEO spam campaign. ClamAV detection and ML classification strongly suggest malicious intent, likely related to phishing or malware distribution. No scripts were extracted, but the structure and URL patterns are consistent with a malicious PDF designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://inceptionsdesign.net/uploads/1/3/0/6/130604522/wobefezunatij.pdf
    • http://anopenproject.ca/uploads/1/3/0/8/130813054/livob-sujogodetokomeg-ronileburigi-nisigage.pdf
    • http://thatsdoctortoyou.com/uploads/1/3/0/4/130476511/xujoda.pdf
    • http://ericamelcherart.com/uploads/1/3/0/6/130620233/9975298.pdf
    • http://tidaleffects.net/uploads/1/3/0/8/130813643/wemimiwubebatu.pdf
    • http://bestmemoryfoamdogbeds.com/uploads/1/3/0/5/130551607/gadafugiluf.pdf
    • http://bigislandpartyrentals.com/uploads/1/3/0/7/130739087/82057.pdf
    • http://mldreamscape.com/uploads/1/3/0/3/130379164/divefibenemusa.pdf
    • http://alt-davos.net/uploads/1/3/0/6/130622051/5471315.pdf
    • http://sandunesandseaoats.com/uploads/1/3/0/2/130289799/najuxura.pdf
    • http://sean--bre.rominastiebenphotography.com/uploads/1/3/0/2/130272281/130272281.html#resume+cover+letter+for+teacher+aide

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000339a.bin
f76c365dbc35499827e309b600c14f15c327894b8baf63e5eba6b14c81d0ad65		 pdf-font-stream PDF embedded font (sfnt) at offset 0x339A 7704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.