Malicious PDF — malware analysis report

Static analysis result for SHA-256 62ddecb2e0de5652…

MALICIOUS

PDF

40.0 KB Authoring application: pstoedit
MD5: bbad1b3c5049fb36e839adfb1faef948 SHA-1: 0a5fcd37683749b24e16b236c7c320a119f83111 SHA-256: 62ddecb2e0de5652d13fa0999562cbc04ce9c941b58a08c644c02902704486ee
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, forming a link farm, which is a common tactic for SEO manipulation or distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cryptocurrencyanalysis.club/uploads/1/3/0/6/130603929/kededubasadexewu.pdf
    • http://mathkidsannarbor.com/uploads/1/3/0/9/130969963/7151168.pdf
    • http://redefinetherapy.org/uploads/1/3/0/6/130639538/cb29083b305d.pdf
    • http://corporativolazval.com/uploads/1/3/0/7/130740589/b297d.pdf
    • http://www.elisanliving.com/uploads/1/3/0/5/130588475/3614418.pdf
    • http://eternalmediamarketing.com/uploads/1/3/0/8/130873916/xigaferog-pesakijeni.pdf
    • http://www.haniyehc.com/uploads/1/3/0/6/130605346/6859334.pdf
    • http://fieldbuzzllc.com/uploads/1/3/0/2/130289719/cd99e.pdf
    • http://novellaproposals.com/uploads/1/3/0/6/130621052/6921049.pdf
    • http://evepoisson.com/uploads/1/3/0/6/130605383/97546c2e4.pdf
    • http://www.michiganroboticsfoundation.org/uploads/1/3/0/2/130289436/dugomogikemelog.pdf
    • http://iledetanhai.com/uploads/1/3/0/6/130604009/bomiraroxunanepit.pdf
    • http://kindspa.com/uploads/1/3/0/9/130969353/130969353.html#tooth+abscess+symptoms+uk
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c31.bin
6d92872be9c3c306d8403d8f9d41eef4bdac6d3666306fdc0672e86f9784c507		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C31 16156 bytes
font_01_sfnt_off000043df.bin
ec16f4034f500fd5d5ac0806a3f8016f3fdbf96e17f713beadc138e3f727d86f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43DF 8156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.