Malicious PDF — malware analysis report

Static analysis result for SHA-256 63c319ee6fa2fcc7…

MALICIOUS

PDF

50.1 KB Authoring application: Smallpdf Desktop
MD5: c54412f068082be832ea1767c62e442b SHA-1: f57bdcb0e7920e8b35a949991316d79fe6b54020 SHA-256: 63c319ee6fa2fcc7f80560138d5c57b82ef28fbc2b513649f9bd0dc17d6fc130
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a mass external link farm, with 25 links pointing to other PDF files hosted on various domains. This behavior is indicative of SEO manipulation or a phishing campaign designed to redirect users to potentially malicious content. The ClamAV detection and ML classifier further support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://allsportssuperpool.com/uploads/1/3/0/4/130483295/4158486.pdf
    • http://floridau12academyleague.com/uploads/1/3/0/4/130483973/regonoronapizom.pdf
    • http://fairbankssnowclearing.com/uploads/1/3/0/4/130483817/rijoz.pdf
    • http://midcorwanda.com/uploads/1/3/0/7/130739510/bazutatafomebakiwoji.pdf
    • http://www.travelingnancy.com/uploads/1/3/0/9/130968967/645065.pdf
    • http://kingdomtravel4you.com/uploads/1/3/0/2/130271179/fofanuju-wazugurigusenu-tavalire.pdf
    • http://maulmonsters.com/uploads/1/3/0/8/130874180/lurixogum-xuzutifo-terunekumog-resodamijadimu.pdf
    • http://rachaelschafergallery.club/uploads/1/3/0/3/130323157/29507d9cce23c77.pdf
    • http://oceanviewlotuvita.com/uploads/1/3/0/8/130874394/nutire.pdf
    • http://www.justjig1.com/uploads/1/3/0/7/130739529/1902830.pdf
    • http://satorimiamihomes.com/uploads/1/3/0/5/130551770/6199304.pdf
    • http://helpmo.com/uploads/1/3/0/6/130604150/55f759db41edc27.pdf
    • http://my-minis.com/uploads/1/3/0/6/130604715/vubatuporosugos-jumuga-sitadejisamarol.pdf
    • http://startupwisconsin.com/uploads/1/3/0/7/130776196/sewovoru.pdf
    • http://dtgovsolutions.com/uploads/1/3/0/6/130639821/939089814f2b1.pdf
    • http://dabble-u.com/uploads/1/3/0/6/130639251/xafavago-donalatuxiwo-tudatilamepukir-mugebesev.pdf
    • http://resonancetapexperience.com/uploads/1/3/0/5/130588721/7598642.pdf
    • http://sissyporn.com/uploads/1/3/0/7/130740186/gaxokatenapod_zazuj_temunolobawepi.pdf
    • http://journeytosimplicity.org/uploads/1/3/0/4/130488615/5145765.pdf
    • http://www.anchorageplumbingak.com/uploads/1/3/0/2/130289482/1488549.pdf
    • http://amusethemeparks.com/uploads/1/3/0/2/130289333/ab6cd3c31.pdf
    • http://westervillepropertiesonline.com/uploads/1/3/0/4/130483811/zunuwodoruruwu-pufutumavuzamos-wakilusalarade-jipujiluduboxo.pdf
    • http://marijuanalawvt.net/uploads/1/3/0/2/130271096/dff8d.pdf
    • http://potentialsc.org/uploads/1/3/0/5/130542728/wavofidutikoj-wufunilo-kofumuniziz.pdf
    • http://whodidifuck.com/uploads/1/3/0/6/130604348/154fb45f7.pdf
    • http://74-123-79-147.mgwnet.com/uploads/1/3/0/5/130538931/130538931.html#how+to+use+a+digital+multimeter+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004376.bin
9ee17cc2bdb948cbd58bfc62b62597d283aa9bc9c0e2b04a7cc0a17a0e8555da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4376 6252 bytes
font_01_sfnt_off00005221.bin
cfb3357b20fb01955c1e4a0ed568c791e3a97db8f0fbaa18432a833eaa1d19da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5221 2828 bytes
font_02_sfnt_off00005ebc.bin
9e81c003026e6f9f0f735305e51bf09b17188333ea1d92f25d0b6eeceecb85c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EBC 8060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.