Malicious PDF — malware analysis report

Static analysis result for SHA-256 62518f03ed3f43cb…

MALICIOUS

PDF

40.8 KB Authoring application: PDFBox
MD5: e264162954a530af3f99531efbafa62b SHA-1: 9bc1b83bff2b01bf66e344396ae89468aa0b280a SHA-256: 62518f03ed3f43cb9f398e1ff8ffb5fee80f72568552effaa6158ef1e8d67400
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links to other PDF files, identified as a link farm. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically related to phishing or malware distribution. The document body, though heavily obfuscated, mentions 'piano notes pdf', suggesting a lure to disguise the malicious nature of the links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ecuador-seo.com/uploads/1/3/0/6/130604333/6670824.pdf
    • http://streetlevelart.com/uploads/1/3/0/4/130477719/cfb61396d.pdf
    • http://johnaadams.com/uploads/1/3/0/5/130590410/nagiseraxitikefam.pdf
    • http://mscbmx.com/uploads/1/3/0/3/130323461/c214a0d8.pdf
    • http://michelledrumheller.com/uploads/1/3/0/6/130603818/7457085.pdf
    • http://www.monahanmedia.net/uploads/1/3/0/6/130639922/4763285.pdf
    • http://teammonstersinthemaking.com/uploads/1/3/0/6/130604838/39b8f.pdf
    • http://stellarosemarywalling.com/uploads/1/3/0/4/130477135/suxipiwupuvajoj.pdf
    • http://mammaghent.com/uploads/1/3/0/6/130604627/rujizogu_zedil.pdf
    • http://goodnightvodka.com/uploads/1/3/0/2/130288559/1056703.pdf
    • http://voiceschorale.org/uploads/1/3/0/6/130604764/tobaziwokovibed-tijozo.pdf
    • http://www.smashvb.com/uploads/1/3/0/3/130323603/7ff7ed.pdf
    • http://ourweefarm.com/uploads/1/3/0/6/130621425/1368230.pdf
    • http://shelbycolgan.com/uploads/1/3/0/5/130550696/8239234.pdf
    • http://iheartblue.org/uploads/1/3/0/8/130813518/9197155.pdf
    • http://www.dentist-agency.com/uploads/1/3/0/6/130604633/bodasarumejura.pdf
    • http://inspire-and-empower.com/uploads/1/3/0/6/130603807/jugimele.pdf
    • http://charmainecole.net/uploads/1/3/0/9/130968917/libug_damubegemejarom.pdf
    • http://whichstack.com/uploads/1/3/0/4/130435780/dujefaxerikusibapiz.pdf
    • http://coastaltest.club/uploads/1/3/0/2/130289746/gigimewarubi.pdf
    • http://appletreeprivatedayschool.com/uploads/1/3/0/7/130739011/7335298.pdf
    • http://ivy--jude.rominastiebenphotography.com/uploads/1/3/0/4/130478975/130478975.html#do+you+want+to+build+a+snowman+piano+notes+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003dd8.bin
3da08c943270f6ee8f363862f9e10fe1bacc17c94ac9f00f281880a2bd6a5de2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3DD8 9220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.