Malicious PDF — malware analysis report

Static analysis result for SHA-256 668046ba786f3d18…

MALICIOUS

PDF

36.5 KB Authoring application: PDFedit
MD5: bed6916278f9a0ba9ed9c6333dece9e4 SHA-1: 608ebd447af083820593a705579d1a53eda01abb SHA-256: 668046ba786f3d183df70ba611cf4ed1fc457dd37ab7461090c0eb6cebdbb378
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to distribute malware. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs are likely part of a link farm designed to drive traffic or distribute malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://starvegutfarm.com/uploads/1/3/0/3/130323449/2931722.pdf
    • http://nvholidaybazaar.com/uploads/1/3/0/4/130483248/2899102.pdf
    • http://ponderosatree.com/uploads/1/3/0/4/130476086/vitexeram.pdf
    • http://rrrtag.com/uploads/1/3/0/3/130379307/5a3ce180a0057e.pdf
    • http://excessivelydiverting.org/uploads/1/3/0/7/130776033/domela_pifamefo_jakuziselalenod.pdf
    • http://www.isewmadethis.com/uploads/1/3/0/5/130590195/xetemozinuluxeloval.pdf
    • http://www.anatomyandphysiologyresources.com/uploads/1/3/0/6/130620416/0a4ae4aa7e1f6.pdf
    • http://giantsbusinessfinance.com/uploads/1/3/0/8/130814311/tebisazexovixu.pdf
    • http://mta-sts.mx.paulkchafetz.com/uploads/1/3/0/5/130590770/2905592.pdf
    • http://xeebntxovjlee.com/uploads/1/3/0/5/130545733/74a9cc99.pdf
    • http://www.aa7designworkshop.com/uploads/1/3/0/4/130436458/lemujuvinotemuxe.pdf
    • http://servicesdc.com/uploads/1/3/0/6/130605426/zisozovomoba.pdf
    • http://iknowschmidt.com/uploads/1/3/0/5/130588232/jopatowovepa.pdf
    • http://dream-design-do-staging.com/uploads/1/3/0/7/130739204/3771851.pdf
    • http://s5xpv.bpmtc.com/uploads/1/3/0/8/130874257/130874257.html#thoracolumbar+spondylosis+icd+10

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000035af.bin
40a862eb9ec58c7f729cdc2e77adf674f2439e79b14da60d29d70d6db61e2acd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x35AF 7568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.