Malicious PDF — malware analysis report

Static analysis result for SHA-256 63552327b6b7cd3c…

MALICIOUS

PDF

75.2 KB Authoring application: Serif PagePlus
MD5: a3655694e7dc0242b5d6549398d02aef SHA-1: bb6ca9a685ce671e438724d8a51f57fcfd88da26 SHA-256: 63552327b6b7cd3c39317e1a0da76f487dfbbd962da127db23b12d36aed49ee9
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also indicate maliciousness, specifically flagging it as Pdf.Phishing.TtraffRobotInstall. The embedded links are likely used to redirect users to phishing sites or to manipulate search engine rankings, a common tactic for distributing malware or scam content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sharonostrov.com/uploads/1/3/0/4/130476145/ac04578f6db3b9.pdf
    • http://equuseducation.com/uploads/1/3/0/5/130588790/8696191.pdf
    • http://ageinmyplace.org/uploads/1/3/0/5/130542773/1046763.pdf
    • http://neneliciouslingerie.com/uploads/1/3/0/4/130488243/2328567.pdf
    • http://algaebookandpaper.com/uploads/1/3/0/6/130620574/f26a6b6e80b.pdf
    • http://tocahairsalon2.com/uploads/1/3/0/4/130478314/kofub-fepedur-zijokoxobogeb.pdf
    • http://enpointephysio.com/uploads/1/3/0/7/130739340/lakazijufomad-jibaz-jaruvaludodo-zifetazunuf.pdf
    • http://coalesceconsultants.com/uploads/1/3/0/6/130604294/teler_nubemefev.pdf
    • http://credit-default-swap-attorneys.com/uploads/1/3/0/3/130313585/wifobasabegoruf-pawalolurek-datip-mizoso.pdf
    • http://neotribes.org/uploads/1/3/0/6/130603702/74f80.pdf
    • http://besutobites.com/uploads/1/3/0/5/130551700/dobesi-muduxetax-xilutenudof-wakamupovew.pdf
    • http://toprestaurantreviews.com/uploads/1/3/0/5/130547150/letejoxije_nimozi_jawog_zokuvotudo.pdf
    • http://avikat.com/uploads/1/3/0/6/130621281/bedunibaganobikirawo.pdf
    • http://chewoncakes.com/uploads/1/3/0/8/130874458/130874458.html#simplex+method+minimization+table
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001c1e.bin
61fc20e5ecb2d3c3a7d503d68dcfd3c4ffacb91883849ff1ff951d530f81229e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C1E 10360 bytes
font_01_sfnt_off0000e21a.bin
c7a184606db05448ada71d85cb1c85fcc3b886c038ea85a2ec3dd0ca1bebe3fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE21A 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.